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Abstract 


We  extend  the  specification  language  of  temporal  logic,  the  corresponding  veriiicacion  frame¬ 
work,  and  the  underlying  computational  model  to  deal  with  real-time  properties  of  reactive 
systems. 

Semantics  We  introduce  the  abstract  computational  model  of  timed  tnnsttion  systems  as 
a  conservative  extension  of  traditional  transition  systems:  qualitative  fairness  require¬ 
ments  are  superseded  by  quantitative  real-time  constraints  on  the  transitions.  Digital 
clocks  axe  introduced  as  observers  of  continuous  real-time  behavior.  We  justify  our 
semantical  abstractions  by  demonstrating  that  a  wide  variety  of  concrete  real-time 
systems  can  be  modeled  adequately. 

Specification  We  present  two  conservative  extensions  of  temporal  bgic  that  allow  for  the 
specification  of  timing  constraints:  while  timed  te^nporal  logic  provides  access  to  time 
through  a  novel  kind  of  time  quantifier,  metric  temporal  logic  refers  to  time  through 
time-bounded  versions  of  the  temporal  operators.  W>  justify  our  choice  of  specification 
languages  by  developing  a  general  framework  for  the  dassificatiem  of  real-time  logics 
according  to  their  complexity  and  expressive  power. 

Verification  We  develop  toob  for  determining  if  a  real-time  system  that  b  modeled  as  a 
timed  transition  system  meets  a  specification  that  is  given  in  timed  temporal  logic  or 
in  metric  texnporal  lope.  We  present  both  modeUchedcing  olgoritkms  for  the  auto¬ 
matic  verification  of  finite-state  real-time  systems  and  proof  methods  for  the  deductive 
verification  of  real-time  systems.  Both  techniques  are  conservative  generalkations  of 
the  corresponding  conventional  approaches  to  pre^am  verification,  which  abstract 
time  from  consideration. 


Od  Her  story  all  over  DO 


There  will  be  time,  there  will  be  time 
To  prepare  a  face  to  meet  the  faces  that  you  meet; 
There  will  be  time  to  murder  and  create, 

And  time  for  all  the  works  and  days  of  hands 
That  lift  and  drop  a  question  on  your  plate; 

Time  for  you  and  time  for  me, 

And  time  yet  for  a  hundred  indecisions, 

And  for  a  hundred  visions  and  revisions, 

Bdbre  the  taking  of  a  toast  and  tea. 


Foreword 


This  dissertation  deals  with  a  relatively  new  —  and  thus  perhaps  necessarily  somewhat 
controversial  —  topic  of  research.  We  are  concerned  with  the  question 

Sow  can  we  formally  prove  that  a  computing  system  meets  time  deadlines,  where 
^ime^  is  not  measured  asymptotically  by  a  function  on  the  size  of  the  input,  but 
by  a  number  of  days,  hours,  minutes,  seconds,  and  milliseconds? 

While  the  crucial  importance  of  this  so-called  real-time  verification  problem  has  long  been 
realized  in  practice,  the  challenge  of  formal  reasoning  about  physical  time  has  stirred  the 
interest  of  the  theoretical  computer  science  community  only  recently,  and  only  halfheartedly 
at  that.  The  two  main  arguments  that  usually  are  brought  forward  to  justify  this  negligence 
on  the  side  of  the  theoreticians  run  as  follows: 

1,  There  is  no  real-time  verification  problem.  The  real-time  behavior  of  a  program  de¬ 
pends  on  myriad  factors  such  as  the  operating  system  and  the  underlying  hardware. 
Worse,  many  of  these  factors  generally  are  hidden  from  the  programmer.  If  your 
program  misses  a  real-time  deadline  by  a  constant  factor,  use  (or  wait  for)  a  faster 
machine. 

While  this  analysis  of  the  problem  is  correct,  the  conclusion  is  not.  Indeed,  the  real-time 
verification  problem  is  far  messier  than  the  convenient  abstraction  of  time  by  traditional 
program  verification  techniques.  This  observation  only  goes  to  show  how  clever  these  tech¬ 
niques  are  —  and  that  they  ought  to  be  used  whenever  possible  —  but  it  does  not  mahe  the 
need  for,  say,  flight  control  systems  disappear.  Tampering  with  the  speed  of  the  machine 
is  a  naive  nonsolution  for  the  most  inqiortant  real-time  systems,  which  are  embedded  in 
real-time  environments  whose  speed  is  not  under  our  control 


2.  Granted,  the  verification  of  timing  constraints  is  a  real  concern,  but  there  is  nothing 
»  special  about  the  real-time  verification  problem  per  se.  Time  is  but  another  parameter 

of  the  system  state  —  treat  it  as  such.  That  is,  use  the  standard,  established  program 
^  verification  techniques. 

There  is  an  obvious  reply:  no.  Time  is  fundamentally  different  from  the  state  components 
of  a  computing  system.  For  all  we  know,  time  is  continuous,  monotonic,  and  divergent, 
and  program  variables  generally  happen  not  to  have  any  of  these  chsuract eristics.  Only  if 
we  recognise  the  special  status  of  time  will  we  be  able  to  find  and  exploit  the  intricacies 
of  proving  timing  properties  and  avoid  pitfalls  like  “Zeno”  behaviors,  wnich  allow  time  to 
converge. 

It  is  the  purpose  of  this  dissertation  to  provide  technical  arguments  that  substantiate 
the  gut  response.  As  a  case  in  point,  observe  that  time  ranges  over  an  infinite  domain  and, 
therefore,  the  verification  of  real-time  systems  escapes  all  of  the  widely  used  tools  that  have 
been  developed  for  the  verification  of  finite-state  systems.  We  will  show  that  this  need  not 
be  the  case:  with  some  effort  we  can  make  finite-state  techniques  work  if  a  program  variable 
ranges  over  all  natural  or  real  numbers,  provided  at  most  one  variable  does  so  and  provided 
the  value  of  the  variable  is  never  decreased.  Luckily,  time  happens  to  move  in  one  direction 
only. 
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Chapter  0 

Introduction 


real  time:  (software)  (A)  Pertaining  to  the  processing  of  data  by  a 
computer  in  connection  with  another  process  outside  the  computer  ac¬ 
cording  to  the  time  requirements  imposed  by  the  outside  process.  This 
term  is  also  used  to  describe  systems  operating  in  conrersational  mode 
and  processes  that  can  be  inBuenced  by  human  interrention  while  they 
are  in  prepress.  (B)  Pertaining  to  the  actual  time  during  which  a  phys¬ 
ical  process  transpires,  for  example,  the  performance  of  a  computation 
daring  the  actual  time  that  the  related  physical  process  transpires,  in 
order  that  results  of  the  computation  can  be  used  in  guiding  the  physical 
process. 

—  IEEE  Standard  Dictionary  of  Electrical  and  Electronics  Terms  [66] 


Many  software  and  liardware  conq>onents  meet  tbe  tasks  for  which  they  have  been  designed 
only  if  they  relate  properly  to  the  passage  of  time.  Exas^les  of  such  tmie>critical,  or  real* 
time,  systems  abound:  embedded  controllers  have  to  oversee  the  operation  of  physical  plants 
in  physical  time;  the  correctness  of  circuits  and  communication  protocols  often  depends  on 
gate  delays  and  message  delays,  respectively.  The  behavior  of  computing  systems  in  physical 
time  is  particularly  difficult  to  predict  by  “inspection.”  This  is  why  real-time  systems  are 
prime  targets  for  a  formal  approadi  to  system  spediication,  verification,  and  development. 

Logical  formalisms  and  techniques  have  provided  valuable  aids  for  understanding  and 
proving  how  complex  computing  systems  behave.  Temporal  logic,  in  particular,  has  been 
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CHAPTER  0.  INTRODUCTION 


established  as  a  working  tool  for  the  design  and  analysis  of  coucurrent  programs.  One 
shortcoming  of  conventional  temporal  logic,  however,  is  that  it  admits  only  the  treatment 
of  qualitative  timing  requirements,  such  as  the  demand  that  an  event  occurs  “eventually.” 
Because  of  this  limitation,  standard  temporal  logic  is  inadequate  for  the  study  of  real-time 
sysiemst  whose  correctness  depends  crucially  on  the  actual  times  at  which  events  occur.  In 
this  thesis,  we  generalke  the  temporal  methodology  to  encompass  the  analysis  of  real-time 
behavior. 


0.1  The  Real-time  Verification  Problem 

A  formal  approach  to  the  specification  and  verification  of  real-time  systems  must 

1.  assume  a  particular  mathematical  model  C  of  computation^ 

2.  assume  a  particular  mathematical  model  T  of  time, 

3.  use  a  formal  language  £j  —  the  implementation  language  —  for  the  description  of 
systems  and  their  behavior  over  time, 

4.  use  a  formal  language  £5  —  the  specification  language  —  for  the  description  of  qual¬ 
itative  as  well  as  quantitative  timing  properties  of  systems, 

5.  present  algorithms  and/or  proof  rules  that  facilitate  a  formal  argument  that  a  partic¬ 
ular  system  has  a  particular  property  under  the  assumed  semantics  of  computation 
and  time.  We  call  this  question  —  whether  a  system  5,  given  as  an  expression  of  £/, 
meets  a  specification  given  as  an  ejq)re8sion  of  £5,  with  respect  to  the  semantical 
assumption  (C,r)  —  the  real-time  verification  problem  for  (C,r,£/,£s): 

^  N(c,r) 

6.  Justify  the  adequacy  of  the  semantical  a5smxq)tion  (C,  T)  by  showing  how  an  answer 
to  the  real-time  verification  problem  for  (C,  T,  £/,  £5),  which  asks  a  question  about  an 
obstruct  mathematical  domain,  relates  to  the  behavior  of  concrete  systems  in  physical 
time. 
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This  thesis  addresses  several  instances  of  the  real-time  verification  problem.  Some  are 
solved  by  algorithms,  some  are  served  by  proof  systems,  and  others  are  shown  to  be  so  hard 
that  neither  method  can  succeed.  In  particular,  we  will  study  the  real-time  verification 
problem,  and  demonstrate  its  practical  relevance,  for  the  following  values  of  the  parameters 
C,  r,  £/,  and  Cs: 

Computational  model  As  we  are  primarily  interested  in  the  issues  that  are  particular 
to  time,  we  concentrate  on  a  single  simple  and  established  model  of  computation. 
Throughout  this  thesis,  we  shall  represent  computation  by  lineaty  interleaved  traces. 
Both  systems  and  properties  will  be  modeled  as  sets  of  traces.  Those  aspects  of 
computation  that  can  be  represented  only  by  branching  or  partial-order  structures  do 
not  concern  us. 

Time  model  We  investigate  two  models  of  time.  A  continuous  time  domain  is  required 
to  represent  the  exact  physical  time  of  events;  if  the  time  of  events  is  recorded  by  a 
fictitious  digital  clock,  a  discrete  time  domain  suffices. 

In^lementation  language  A  real-time  implementation  language  should,  from  a  practical 
point  of  view,  be  able  to  describe  such  real-time  phenomena  as  time-outs  and  inter¬ 
rupts.  We  will  argue  that  from  a  theoretical  point  of  view,  system  descriptions  should 
be  executable,  refinable,  and  independent  of  the  time  model.  With  timed  transition 
systems  we  will  introduce  a  language  that  satisfies  these  criteria. 

Specification  language  A  real-time  specification  language  should,  from  a  practical  point 
of  view,  support  natural  and  verifiable  specifications  of  such  real-time  properties  as 
time-bounded  response,  time-bounded  invariance,  and  periodicity.  We  will  argue  that 
from  a  theoretical  point  of  view,  the  '.anguage  should  strike  a  particular  intrinsic  bal¬ 
ance  between  expressive  power  and  complexity  of  the  associated  verification  problem. 
With  timed  temporal  logic  and  metric  temponJ  logic  we  will  introduce  two  orthogonal 
syntactic  extensions  of  temporal  logic  that  satisfy  these  criteria. 

0.2  The  Temporal  Methodology 

Let  us  briefly  review  the  temporal-logic  approach  to  system  specification  and  verification 
and,  simultaneously,  use  this  opportunity  to  outline  the  organisation  of  this  thesis,  which 


4 


CHAPTER  0.  INTRODUCTION 


advances  the  introduction  of  time  into  the  temporal  framework.  The  use  of  temporal  logic 
for  the  formal  analysis  of  reactive  systems  was  first  advocated  by  Pnucli  [106].  The  complete 
temporal  methodology  consists  of  four  elements  [91],  all  of  which  are  affected  by  the  addition 
of  time.  These  four  components  structure  the  thesis: 

Systems  —  syntax  and  semantics.  The  tenq)Qral  approach  is  based  on  a  trace  model  of 
computation.  The  semantics  of  a  system  as  a  set  of  traces  is  defined  in  four  steps: 

1.  A  concrete  system  P  typically  is  described  in  a  graphical  language,  by  a  transition 
diagram,  although  the  methodology  is  applicable  to  a  wide  variety  of  program¬ 
ming  languages  as  well  as  hardware  description  languages. 

2.  The  system  P  is  modeled  as  an  abstract  mathematical  object  Sp  called  a  tran¬ 
sition  system. 

3.  The  formal  semantics  of  the  transition  system  Sp  is  defined  as  a  set  n(5p)  of 
state  sequences. 

4.  The  set  IL{Sp)  of  state  sequences  represents  the  set  ScA(n(5p))  of  possible 
behaviors  (i.e,,  traces)  of  the  system  P. 

We  incorporate  time  into  this  model  by 

1.  describing  a  red-time  system  P  by  a  timed  transition  diagram, 

2.  modeling  P  by  a  timed  transition  system  5p, 

3.  defining  the  semantics  of  5p  as  a  set  Tl{Sp)  of  timed  state  sequences,  which 
associate  a  time  with  every  state,  and 

4.  having  n(Sp)  represent  the  possible  behaviors  Beh{Il{Sp))  of  P  in  pkysied  time.  i 

Chapter  1  introduces  timed  state  sequences  —  a  formal  abstraction  of  real-time  be¬ 
havior  and  the  cornerstone  of  our  approach.  Chapter  2  introduces  timed  transition  i 

systems  —  a  formal  abstraction  of  real-time  systems  —  and  demonstrates  their  ability 
to  model  a  wide  variety  of  real-time  phenomena  that  are  encountered  in  practice. 


Specifications  —  syntax  and  semantics.  The  temporal  approach  uses  temporal  logic  to 
specify  qualitative  timing  properties  of  systems.  A  formula  ^  of  temporal  logic  defines 
a  set  n(^)  of  state  sequences,  which  represents  the  set  Peh(n(^))  of  traces  that  are 
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admitted  by  the  specification  <(>.  Consequently,  a  system  P  meets  the  specification 
denoted  by  P  iff  ali  possible  behaviors  of  P  are  admitted  by 

Beh{Il{Sp))  C  Bek{IL{((>)y 

We  present  two  extensions  of  temporal  logic  that  are  interpreted  over  timed  state 
sequences  and  allow  the  specification  of  quantitative  timing  properties.  While  timed 
temporal  logic  provides  access  to  time  through  a  novel  kind  of  time  quantifier,  metric 
temporal  logic  refers  to  time  through  time-bounded  versions  of  temporal  operators. 
Chapter  3  introduces  both  languages  and  analyzes  their  expressive  power  and  the 
complexity  of  their  decision  problems. 

The  preceding  two  elements  of  the  temporal  methodology  fix  the  parameters  of  the  verifica¬ 
tion  problem  and  formalize  the  verification  task  as  one  of  checking  containment  of  trace  sets. 
The  following  two  elements  present  two  fundamentally  different  techniques  —  a  semantic 
one  and  a  syntactic  one  —  to  solve  this  task. 

Algorithmic  verification  —  model  checking.  Model  checking  is  a  powerful  automatic 
technique  for  the  verification  of  systems  with  a  finite  state  space.  It  relies  on  algo¬ 
rithms  that  check  if  a  transition  system  meets  a  temporal-logic  specification.  Chap¬ 
ter  4  presents  model- checking  algorithms  for  timed  transition  systems  and  both  timed 
and  metric  temporal  logics.  The  real-time  model-checking  problem  is  shown  to  be 
exponentially  harder  than  the  corresponding  untimed  problem. 

Deductive  verification  —  proof  rules.  A  deductive  calculus  is  necessary  for  the  verifica¬ 
tion  of  systems  that  escape  model-checking  methods  because  of  the  size  of  the  state 
space.  Such  a  proof  system  typically  consists  of  three  parts: 

1.  The  general  part  axiomatizes  temporal  logic. 

2.  The  program  part  provides  proof  rules  for  reasoning  about  structural  properties 
of  a  particular  system. 

3.  The  domain  part  provides  proof  rules  for  reasoning  about  various  data  domains, 
if  such  a  need  arises. 

Chapter  5  axiomatizes  timed  temporal  logic.  Chapter  6  introduces  the  program  part 
of  two  proof  methodologies  for  verifying  timed  transition  systems.  The  proof  methods 
are  shown  to  be  cozxq)lete  relative  to  reasoxdng  about  data  domains. 


Part  I 


Specification 


Chapter  1 


An  Interleaving  Model 
for  Real  Time 


We  study  reactive  systems  —  discrete  systems  that  maintain  an  ongoing  interaction  with 
their  environment  [108].  Typical  examples  of  reactive  systems  are  distributed  processes, 
which  interact  with  each  other,  and  real-time  processes,  whose  interaction  is  prompted  and 
constrained  by  the  passage  of  time.  In  order  to  develop  and  apply  a  formal  methodology 
for  the  specification  and  verification  of  a  class  of  systems,  the  members  of  the  class  have 
to  be  modeled  by  mathematical  objects.  A  model  should  be  both  adequate^  in  that  it 
distinguishes  between  systems  .  jose  behaviors  differ  in  one  of  the  aspects  under  consider¬ 
ation,  and  abstract,  in  that  it  omits  unnecessary  detail  by  identifying  systems  without  such 
disagreements. 

One  well-established  approach  to  the  modeling  of  reactive  systems  uses  the  paradigm 
of  interleaving  to  represent  concurrent  activity.  Whenever  the  simultaneous  occurrence  of 
several  actions  csaises  a  distinct  effect,  such  as  process  synchroxxisation,  the  interleaving 
approach  introduces  joint  “metaactions.”  Independent  concurrent  actions,  however,  are 
singly  nondeterministically  sequentialized  —  as  if  they  are  performed  in  any  order.  It  is 
this  bold  abstraction  of  representing  the  behavior  of  a  system  by  a  linear  sequence  of  actions 
that  brings  about  a  major  economic  benefit,  namely,  that  at  any  point  only  one  action  can 
occur  and  has  to  be  analyzed.  This  astoundingly  simple  model  turns  out  to  be  adequate 
for  the  study  of  many  important  properties  of  reactive  systems.  In  particular,  if  the  grain 
of  atomicity  of  actions  is  chosen  to  be  fine  enough,  it  allows  us  to  reason  effectively  about 
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the  correctness  of  concurrent  programs,  independent  of  whether  they  are  implemented  in 
multiprogramming  or  multiprocessing  environments. 

The  standard  interleaving  model  is,  however,  abstract  with  respect  to  physical  time;  it 
identifies  systems  that  admit  the  same  sequences  of  actions,  even  if  tney  do  so  at  radically 
different  speeds.  While  this  abstraction  facilitates  the  anzdysis  of  speed-independent  sys¬ 
tems,  it  is  blatantly  inadequate  for  real-time  systems.  To  handle  the  quantitative  timing 
requirements  of  these  systems,  we  have  to  refine  our  model  of  computation  by  adding  a 
time  dimension.  It  has  been  claimed,  however,  that  the  interleaving  model  is  intrinsically 
unsuited  for  the  adjunction  of  time  and  that  a  more  realistic  modeling  of  concurrent  activity 
is  needed  for  the  study  of  real-time  systems  (73].  For,  it  is  argued,  two  actions  executed 
truly  in  parallel  stirely  take  less  time  than  any  sequential  execution  of  both  actions.  One 
of  the  main  points  that  we  demonstrate  in  this  thesis  is  a  refutation  of  this  claim.  We 
show  that  by  a  careful  incorporation  of  time  into  the  interleaving  model,  we  can  still  model 
adequately  most  of  the  phenomena  that  occur  in  the  timed  execution  of  systems  and  yet 
retain  the  important  economic  advantages  of  interleaving  models. 

The  key  insight  for  combining  interleaving  and  real  time  is  to  confine  aD  actions  to 
happen  “instantaneously.”  This  restriction  proves  workable,  because  any  action  a  that 
takes  S  >  0  time  units  can  be  modeled  by  two  instantaneous  actions,  begin-a  and  end«a, 
as  well  as  a  timing  constraint  that  forces  the  latter  action  to  happen  (and  only  happen)  S 
time  units  after  the  former.  Exploiting  this  observation,  we  may  proceed  to  represent  two 
independent  simultaneous  actions  by  nondeteiministically  interleaving  the  corresponding 
begin  and  end  components  as  usual. 

Having  motivated  an  interleaving  model  of  timed  computav.  we  follow  the  temporal- 
logic  tradition  of  modeling  the  behavior  of  reactive  systems  by  sequences  of  states  rather 
than  actions.  Actions  will,  in  our  model,  be  represented  implicitly,  through  their  effects  on 
the  states  of  a  system.  The  requirement  of  instantaneousness  of  actions  translates,  therefore, 
into  instantaneousness  of  state  changes. 


1.1  Timed  State  Sequences 

We  study  how  reactive  systems  behave  over  time.  The  behavior  of  a  system  will  be  formal* 
ized  as  a  sequence  of  snapshots  of  the  global  system  state  at  certain  times.  The  kinds  of 
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sys^ciM  and  phenomena  that  can  be  captured  adequately  in  this  fashion  depend  on  irAen 
and  how  o/ien  snapshots  can  be  taken  and  on  how  accurately  they  can  be  timed: 


When  We  do  not  restrict  the  times  at  whi'^h  the  state  of  a  system  can  be  observed;  snap¬ 
shots  may  be  taken  at  any  real  point  in  physical,  continuous  time.  This  enables  us 
to  model  both  synchronous  (clocked)  pro^-^ascs,  all  of  whose  state  changes  occur  in 
lock-step  with  a  digital  clock,  and  more  general  asynchronous  processes,  which  change 
their  state  at  arbitrarv  real  points  in  time. 

In  fact,  we  allow  several  snapshots  lo  be  taken  at  the  same  time.  Since  state  changes 
are  instantaneous,  such  contemporaneous  observations  may  yield  difTerent  results. 
The  possibility  of  several  contemporaneous,  yet  ordered,  snapshots  is  imperative  for 
modeling  simultaneous  state  changes  by  interleaving,  as  has  been  pointed  out  above. 

How  often  We  do  require  the  number  of  snapshots  to  be  countable;  that  is,  we  cannot 
observe  the  state  of  a  system  at  every  real  point  in  time.  Furthermore,  wc  permit 
only  finitely  many  snapshots  between  any  two  points  in  time;  thus  we  prohibit  infinite 
“Zeno”  sequences  of  snapshots,  whose  times  converge  towards  a  real  point  in  time. 
These  restrictions  are  entirely  adequate  for  modeling  disertte  processes,  which  change 
their  state  only  finitely  often  between  any  two  points  in  time  and,  thus,  can  be  de¬ 
scribed  completely  by  a  divergent  a;-sequence  of  state  changes.  We  make  no  attempt 
to  model  continuous  processes  other  than  through  discrete  approximations. 

How  accurately  The  times  of  snapshots  are  recorded  by  a  global  (fictitious)  clock.  We 
distinguish  between  different  manifestations  of  the  clock.  An  analog  clock  gauges  the 
time  of  every  snapshot  with  infinite  precision,  while  a  digital  clock  records  only  the 
number  of  clock  ticks,  with  respect  to  some  time  unit  chosen  a  priori,  between  any 
two  snapshots. 

We  emphasire  that  the  type  of  clock  that  is  used  to  time-stamp  observations  is 
completely  independent  of  whether  we  model  a  system  that  is  synchronous  or  asyn¬ 
chronous,  discrete  or  continuous:  even  if  the  time  of  a  snapshot  is  recorded  by  a  digital 
clock,  it  may  occur  at  any  real  point  in  time;  even  if  we  employ  an  analog  clock,  we 
can  take  at  most  coimtably  many  snapshots. 
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Formally,  an  obsen:aticn  is  a  pair  that  consists  of  a  state  showing  the  result  of  a  snapshot 
and  a  time-stainp  recording  the  time  of  the  snapshot.  A  finite  or  infinite  sequence 

P  '  (<^0>To)  — ♦  "  (<^2,T2)  — ♦  (^3,73)  — •  ••• 

of  IpI  6  N  U  {w}  observations  is  called  a  timed  state  sequence  p  =  {^*7);  it  consists  of  a 
sequence  tr  of  |^j  states  (Tj,  where  0  <  »  <  |pi,  and  a  sequence  7  of  corresponding  time¬ 
stamps  Ji  £  TIME,  At  this  point,  we  do  not  commit  to  any  particular  time  domain  TIME; 
we  only  assume  that  there  is  a  total  ordering  <  on  TIME  and  demand  that 

Monotonicity  Time  docs  not  decrease: 

7i*i  <  7t  for  aU  0  <  i  <  \p\. 

This  condition  ensures  that  the  global  logical  order  of  snapshots  is  consistent  with 
the  temporal  order.  It  pcimits,  however,  adjacent  observations  with  the  same  time- 
stamp.  Thus  a  timed  state  sequence  can  be  viewed  as  imp  .>sing  a  two-level  ordering 
on  snapshots:  the  macro-order  is  determined  by  the  time-stamps,  and  within  each 
time-stamp,  there  is  a  local  logical  order  of  observations. 

Progress  Time  progresses: 

either  p  is  finite, 

or  for  aH  ^  €  TIME^  there  is  some  t  >  0  such  that  Ti  >  6, 

This  condition  ensures  that  the  time-stamps  of  observations  do  not  converge. 

We  consider  three  types  of  fictitious  clocks.  In  the  analog^dock  model  we  take  TIME  to 
be  the  nonnegative  real  numbers  R;  in  the  digital-clock  model,  the  nonnegative  integers  N 
—  thus  assuming  that  the  ticks  of  a  digital  clock  are  exactly  one  time  unit  apart.  If  time  is 
immaterial,  we  let  TIME  be  any  trivial  one-element  domain  1;  this  case  is  referred  to  as  the 
untimed  model.  We  call  timed  state  sequences  of  the  analog-clock  model  precisely  timed;  of 
the  digital-clock  model,  digitally  timed;  and  of  the  untimed  model,  untimgd,  Untimed  state 
sequences  are  often  identified  with  their  state  components.  In  both  the  analog-clock  and 
the  digit^-clock  model,  we  assume  the  standard  definitions  of  customary  functions  such  as 
addition  on  the  time  domain;  in  the  untimed  model,  the  definition  of  any  total  fimetion 
on  the  time  demain  is  uniquely  determined.  We  write  TSStiub  for  the  set  of  timed  state 
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sequences  over  the  time  domain  TIME\  whenerer  the  value  of  the  parameter  TIME  is 
unspecified  (i.e.,  arbitrary),  the  subscript  is  suppressed.  The  set  of  all  infinite  timed  state 
sequences  is  denoted  by  TSS'^, 

The  remainder  of  this  thesis  can  be  viewed  as  a  contribution  to  the  development  of 
a  formal  theory  of  timed  state  sequences.  We  will  propose,  analyse,  and  relate  various 
methods  for  dclining  (sets  of)  timed  state  sequences  —  methods  that  range  &om  abstract 
specification  languages,  such  as  real-time  logics,  to  concrete  implementations  of  real-time 
systems. 

Operations  on  timed  state  sequences 

We  routinely  use  the  following  operations  on  timed  state  sequences.  For  any  timed  state 
sequence  p  =:  (o’jT),  let  p”  be  its  state  component  <r;  applied  to  a  set  11  of  timed  state 
sequences,  this  “untime”  operation  yields  the  corresponding  set  II'^  of  state  components. 
By  p*  =  for  0  <  t  <  |pl,  we  denote  the  timed  state  sequence  that  results  from  p  by 

deleting  the  first  i  observations.  If  ^  €  TIME^  then  p  -f  =  {^,T  +  f)  stands  for  the  timed 
state  sequence  that  is  obtained  from  p  by  adding  f  to  all  times  in  T.  Given  two  infinite 
timed  state  sequences  p  =  (^,T)  and  p'  =  T)  and  6  €  TIMEy  we  say  that  p'  is  a  6-suffiz 
of  p  iff  for  some  *  >  0, 

(1)  c’  =  <r*  , 

(2)  either  t  =  0  or  Ti_i  <  6,  and 

(3)  V  +  f  =  V. 

Note  that  p  has  at  least  one  £.su£Ex  for  ever;  6  €  TIME,  bnt  it  may  have  several  different 
d'snffixes:  if  p  contains  n  observations  with  the  time*stamp  f,  then  there  are  n  + 1  distinct 
£-snf&xes  of  p.  For  example,  the  timed  state  sequence 

(a,l)  (6.3)  —  (c.3)  —  (<i,4)  ^  (e.5)  — 

has  one  2-sufiSx, 

(6,1)  (c,l)  (d.2)  (e.3) 

and  three  3*8uffixes: 

(6.0)  —  (c,0)  (d.l)  —  (e,2) 
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(c,0)  (cf,l)  — .(c,2)— 
(rf,l)_(e,2) - . 


Modeling  system  behaviors  by  timed  state  sequences 

We  will  define  the  formal  ycm&ntics  of  a  reactive  system  5  as  a  set  of  timed  state  sequences 
that  represents  the  possible  behaviors  of  5.  To  do  this  properly,  we  have  to  address  the 
following  two  issues: 

1.  Given  a  set  11  of  timed  state  sequences ^  which  set  ®  of  system  behaviors  does  11 
represent?  We  tahe  the  view  that  a  timed  state  sequence  p  is  obtained  by  observing  a 
system  and,  consequently,  represents  any  behavior  that  may  result  in  the  observation 
sequence  p. 

2.  Given  a  set  ^  of  system  behaviors,  is  there  a  set  II  of  timed  state  sequences  that 
represents  If  there  are  several  such  sets  TL,  is  there  a  preferred  one?  Indeed,  we 
are  limited  to  a  certain  class  of  reactive  systems  that  can  be  represented  by  a  timed 
state  sequence  semantics  in  both  the  analog-clock  model  and  the  digital-clock  model. 
Moreover,  for  any  system  5  in  this  class,  we  will  select  a  particular  set  of  timed  state 
sequences  to  represent  the  possible  behaviors  of  5,  because  we  shall  require  that  the 
semantics  of  5  satisfies  certain  closure  conditions. 

Both  of  these  issues  are  discussed  in  the  rest  of  this  chapter.  While  the  remainder  of 
Section  1.1  provides  a  formal  answer  to  the  first  question.  Section  1.2  addresses  the  second 
point.  The  practically  oriented  reader  who  is  not  interested  in  the  details  of  modeling 
reactive  systems  by  sets  of  timed  state  sequences  may  proceed  immediately  to  Chapter  2, 
which  defines  and  illustrates  the  timed  state  sequence  semantics  of  concrete  systems. 

1*1.1  Actual  versus  observed  behavior 

A  timed  state  sequence  is  the  result  of  observing  the  behavior  of  a  reactive  system.  We 
say  that  a  sequence  of  snapshots  is  state*complete  iff  every  system  state  is  observed;  it  is 
time*complete  iff  every  real  point  in  time  is  observed.  While  we  demand  state-completeness 
when  observing  discrete  systems,  no  countable  number  of  snapshots  can  be  time-complete. 
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Thus,  imliic  a  state  sequence  when  time  is  of  no  interest,  a  timed  state  sequence  may  not 
uniquely  define  the  dctual  behavior  of  a  system  in  physical  time;  observing  difTcrent  system 
behaviors  can  result  in  the  same  state- complete  tuned  state  sequence.  There  axe  two  reasons 
for  this  ambiguity: 


1.  Two  confemporeneott^  observations  are  necessary  to  obtain  complete  information 
about  a  state  change  —  one  snapshot  showing  the  state  immediately  before  and  the 
other  showing  the  state  immediately  after  the  instantaneous  state  change.  If  a  timed 
state  sequence  fails  to  observe  a  state  change  in  this  fashion,  then  it  does  not  define 
a  unique  system  behavior.  For  example,  if  given  the  (state-complete)  precisely  timed 
observation  sequence 

(a,  5)  (6,6), 

all  we  know  is  that  the  system  state  changes  from  a  to  6  between  time  5  and  time  6; 
the  actual  state  change  may  occur  as  early  as  at  time  5.1  or  as  late  as  at  time  5.9. 

2.  In  the  digital-clock  model,  there  is  a  second  source  of  ambiguity,  which  is  caused  by 
the  inaccuracy  of  the  fictitious  clock  that  records  the  times  of  snapshots.  For  example, 
if  given  the  (state-complete)  digitally  timed  observation  sequence 

(a, 5)  —  (6,5), 

all  we  know  is  that  the  system  state  changes  from  a  to  6  between  the  fifth  and  the 
sixth  tick  of  a  digital  clock;  assuming  that  the  first  clock  tick  happens  at  time  0,  the 
state  change  may,  again,  occur  as  early  as  at  time  5.1  or  as  late  as  at  tune  5.9. 

Both  sources  of  timing  ambiguities  need  to  be  resolved.  In  other  words,  so  far  we  have 
given  only  the  syntax  of  timed  state  sequences;  we  still  need  to  agree  on  what  a  timed  state 
sequence,  in  either  clock  model,  ^eans.’’ 

In  the  following  two  subsections,  we  will  define  the  semantics  of  timed  state  sequences, 
first  for  the  analog-clock  model  and  then  for  the  digital-clock  model.  To  eliminate  both 
sources  of  timing  ambiguities,  we  introduce,  on  top  of  interleaving,  two  additional  layers  of 
abstraction  in  modeling  real-time  behavior  by  a;-8equences  of  observations: 

1.  Precisely  timed  observation  of  actual  behavior  —  from  behaviors  of  reactive  systems 
to  timed  state  sequences  over  R. 
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2.  Digital  timing  of  observed  behavior  —  from  timed  state  sequences  over  R  to  timed 
state  sequences  over  N. 

The  untimed  model  requires  neither  layer;  the  analog-dock  model,  the  first  layer  only;  the 
digital-dock  modd,  both  layers.  In  both  steps,  we  use  the  convention  that  a  timed  state 
sequence  docs  not  denote  a  single  behavior,  but  rather  that  a  id  of  timed  state  sequences 
stands  for  a  set  of  behaviors  of  a  reactive  system.  For  this  purpose,  we  need  to  formalise 
the  notion  of  “(actual)  behavior”  of  a  system. 

Real-time  behavior 

’«ot  surprisingly,  we  employ  timed  state  sequences  that  contain  no  timing  ambiguities  to 
serve  as  representatives  of  system  behaviors.  A  behavior  is  a  timed  state  sequence  p  =  (<r,  T) 
such  that 

Determinism  Time  advances  only  if  the  state  does  not  change: 

for  all  0  <  t  <  IpI,  either  =  (Tj  or  =  T^. 

This  property  ensures  that  every  state  change  is  observed  by  two  conteirq)oraneous 
snapshots;  a  timed  state  sequence  that  satisfies  it  is  called  determinisiic.  For  a  set 
n  C  r55,  let  i7et(n)  C  n  be  the  set  of  all  deterministic  timed  state  sequences  in  11. 
A  set  n  C  TSS  is  called  deterministic  iS  Def  (11)  =  H. 

Stutter-fireedom  Time  advances  to  the  next  state  change: 

for  all  0  <  i  <  lp|,  not  both  o*,-!  =  er*  and  and 

for  all  0  <  <  <  \pI  either  t  >  0  and  ai^i  ^  eiy  or  t  <  |pl  -  1  and  a  ^ 

This  property  ensures  that  a  minimal  number  of  snapshots  is  taken;  a  timed  state 
sequence  that  satisfies  it  is  called  stutter-free.  Note  that  u:cording  to  our  definition, 
if  p  €  TSS  is  stutter-free,  then  \p\  >  1, 

We  write  SeA(n)  C  n  for  the  set  of  aH  behaviors  in  11  C  TSS, 

A  behavior  of  the  analog-clock  model  is  called  a  real-time  behavior.  Determinism  by 
itself  guarantees  that  a  precisely  timed  state  sequence  uniquely  defines  the  behavior  of  a 
system  in  physical  time,  because  any  state-complete  deterministic  timed  state  sequence 
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over  R  contains  enough  infonnation  to  determine  the  precise  time  of  every  state  change. 
HoTrever,  depending  on  how  many  repetitious  snapshots  of  a  system  state  are  taken,  the 
same  system  behavior  may  result  in  different  deterministic  sequences  of  observations.  The 
requirement  of  stuitCT^fTtcdofii  has  been  added  to  obtain  a  bijection  between  actual  and 
observ^ed  system  behaviors. 

Another  operation  on  timed  state  sequences 

It  will  turn  out  to  be  convenient  to  have  an  operation  on  timed  state  sequences  that  removes 
redundant  observations.  Given  a  timed  state  sequence  p  we  define  the  timed  state 

sequence  tip  to  be  a  maximal  stutter-free  subsequence  of  p;  that  is,  Ijp  results  from  p  by 
deleting  some  observations.  In  particular,  the  observation  (<rt,Ti),  for  0  <  t  <  |p|,  is  deleted 
unless  cither  the  previous  observation  or  the  subsequent  observation  shows  a  state  different 
from  Ci\  in  addition,  all  observations  but  one  in  any  subsequence  of  successive  identical 
observations  are  deleted.  For  example,  if  p  is  the  timed  state  sequence 

(a,0)  —  (a,l)  (6,1)  — »  (c,l)  —  (e,l)  (d.l)  (i,2)  — .  (d,3)  —  («,5), 

then  tip  is  the  timed  state  sequence 

(0.1)  (6.1)  (c,l)  (<i,l)  (<i,3)  (e,5). 

Note  thot  ft  timed  st&te  sequence  p  is  detenninistic  iff  |)p  is  deterministic.  Consequently, 
if  p  is  deterministic,  then  t|p  is  &  behavior.  For  11  C  TSS,  let  ||n  =  {Ijp  |  p  €  H}.  Thus,  for 
any  set  II  of  timed  state  sequences,  the  set 

lll»et(n)  =  2?et(tin) 

is  a  set  of  behaviors. 

1.1.2  Analog-clock  semantics 

We  define  oux  interpretation  of  timed  state  sequences  in  the  analog-clock  model  in  such  a 
way  that  every  precisely  timed  state  sequence  p  denotes  a  set  |[p]  of  real-time  behaviors. 
Informally,  we  take  (p]  to  contain  all  real-time  behaviors  that  are  consistent  with  the  ob¬ 
servation  sequence  p  under  the  assumption  of  state-completeness;  that  is,  at  any  point  in 
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time,  the  system  state  is  assumed  to  be  equal  to  one  of  the  two  states  shown  by  neighboring 
observations.  This  interpolation  of  states  induces  a  closure  operation  on  sets  of  timed  state 
sequences. 

Stuttering 

A  set  n  of  timed  state  sequences  is  weakly  closed  under  stuttering  iff  whenever  the  sequence 

•••  — ►  (crj,Ti)  — ►  — ►  ••• 

is  in  n,  then  so  are  the  sequences 

•••  — ►  («r, •,?,•)  — ►  (ci,6) — ►  (<ri+i,T<+j)  — ►  ••• 

and 

...  — ►  (ir»,Ti)  — >  (crt+x,ff)  — >  — >  ••• 

for  all  T»  <  5  <  Ti+i;  whenever  the  sequence 

(iTo,  To)  — ►  ••• 

is  in  n,  then  so  is  the  sequence 

(<To,0  — ►  (<ro,To)  — ►  ••• 
for  all  ^  <  To;  and  whenever  the  finite  sequence 

•••  - ►  (^n,Tn) 

is  in  n,  then  so  are  all  infinite  timed  state  sequences  of  the  form 
...  (On>Tn)  — ♦  (^n>Tn+l)  — ♦  (<^n)Tn+2) 

The  set  n  C  TSS  is  called  strongly  closed  under  stuttering  iff 

(1)  n  is  wealdy  closed  under  stuttering  and 

(2)  hn  c  n. 
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While  closing  a  set  II  under  weak  stuttering  can  only  add  observations  to  timed  state 
sequences  in  11,  closing  11  tmder  strong  stuttering  may  require  the  deletion  of  redundant 
observations.  Given  a  set  11  of  timed  state  sequences,  we  define  the  weak  stutiering  closure 
r(n)  of  n  to  be  the  smallest  set  of  timed  state  sequences  that  contains  11  and  is  weakly 
closed  under  stuttering;  the  (^strong^  stuttering  closure  r||(II)  of  II  is  the  smallest  set  of 
timed  state  sequences  that  contains  11  and  is  strongly  closed  under  stuttering.  If  />  €  TSS, 
we  simply  write  r(p)  and  r||(p)  for  the  weak  and  strong  stuttering  closures  of  {/)}. 

We  now  list  a  few  useful  properties  of  stuttering  closures.  Clearly,  r(n)  Q  rj(n)  for  all 
n  C  TSS.  If  n  is  deterministic,  then  so  are  both  r(n)  and  r||(n);  thus,  if  11  is  (weakly) 
closed  under  stuttering,  then  so  is  jDet(n). 

Lemma  1.1  (Stuttering)  For  every  set  11  of  timed  state  sequences,  lir(lir(n))  =  l]r(n). 

Proof  of  Lemma  1.1  We  assume  that  p  €  lir(l)r(n))  —  that  is,  p  =  Ijpi  and  pi  €  r(lir(p2)) 
for  some  pj  €  II  —  and  show  that  p  €  lir(n).  Let  pj  €  r(pi)  fl  r(p2)  be  the  timed  state 
sequence  that  results  firom  merging  both  pi  and  p2  •  It  is  not  hard  to  see  that  p  =  l|p^  and, 
therefore,  p  €  lir(p2).  ■ 

This  lemma  implies  that  strong  closure  under  stuttering  can  be  obtained  by  a  single 
application  of  the  “unstutter”  operator  ij: 

Tiiu)  =  r(iir(n)). 

It  follows  that  r(n)  =  rii(n)  iff  n  is  a  set  of  behaviors. 

Stuttering  semantics 

In  any  dock  model,  we  let  a  timed  state  sequence  stand  for  the  set  of  all  sequences  in  its 
(strong)  stuttering  dosure.  Accordin^y,  a  set  II  of  timed  state  sequences  is  said  to  specify 
under  stutiering  the  set 

m  =  Beh{Tm) 

of  behaviors;  if  p  6  TSS,  we  abbreviate  ({p}]  to  (pj.  Note  that  if  C  TSS  is  strongly 
dosed  under  stuttering,  then  I;!!'  sdects  exactly  the  stutter>&ee  sequences  in  n'.  Hence  we 
can  characterize  the  set  |n]  of  behaviors  in  r((n)  as  follows: 


m  =  iii?e<(rt(n)). 
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Since  li  and  Det  coinmute,  by  Lemma  1.1  we  have,  equivalently,  that 

inj  =  i;i?e«(r(n)). 

Also  observe  that  BeA(n)  C  [n|  and 

m  =  uw 

^€n 

for  all  n  C  TSS.  If  11  is  closed  under  stuttering,  then  [n|  =  J?€A(n);  if  11  is  detenninistic, 
then  jn]  =  1)11;  if  n  is  a  set  of  behaviors,  then  [IIJ  =  H. 

A  precisely  timed  state  sequence  p  specifies,  under  stuttering,  a  set  of  real-time  behav¬ 
iors  [p];  we  agree  that  the  analog  denotation  of  a  set  II  of  precisely  timed  state  sequences 
is  |n].  This  interpretation  of  observation  sequences  has  the  properties  we  desire: 

1.  A  deterministic  precisely  timed  observation  sequence  p  denotes  the  real-time  behav¬ 
ior  \p. 

2.  A  nondetenninistic  precisely  timed  observation  sequence  p  denotes  the  set  of  all  real¬ 
time  behaviors  that  correspond  to  deterministic  sequences  that  are  obtained  from  p 
by  interpolating  states. 

3.  A  set  n  of  precisely  timed  observation  sequences  denotes  the  set  of  all  real-time 
behaviors  that  correspond  to  sequences  m  11. 

Two  sets  of  timed  state  sequences  are  called  equivalent  under  stuttering  iff  they  specify 
under  stuttering  the  same  set  of  behaviors.  For  example,  the  singleton  set  that  contains  the 
timed  state  sequence 

(a, 5)  (6,6) 

is,  under  stuttering,  equivalent  to  the  set  that  contiuns  all  timed  state  sequences  of  the  form 

(a, 6)  (6.6) 

with  5  <  f  <  6,  which  is  infimte  in  the  analog-clock  model.  Also,  any  two  sets  of  timed 
state  sequences  with  the  same  stuttering  closure  are  equivalent  under  stuttering.  Two  sets 
of  behaviors  are  equivalent  under  stuttering  iff  they  are  equal. 


1.1.  TBIED  STATE  SEQUENCES  21 

We  have  defined  equivalence  in  the  analog-clock  model  as  equivalence  under  stuttering. 
It  is  worth  pointing  out  that,  in  addition,  our  definitions  of  weak  stuttering  closure,  stutter- 
freedom,  and  equivalence  under  stuttering  properly  generalize  the  corresponding  untimed 
notions  for  state  sequences  [1]:  if  TIME  =  1,  then  r(p~)  ~  r(p)  and  li(p  )  =  (Ijp)  • 
There  is  no  untimed  equivalent  to  determinism,  because  every  untimed  state  sequence  is 
trivially  deterministic.  We  conform  with  the  usual  convention  that,  in  the  untimed  model, 
a  set  n  of  untimed  state  sequences  denotes  the  set  IHJ  =  1)11  of  untimed  behaviors. 

Transparency 

We  will  reserve  a  special  role  for  sets  of  precisely  timed  state  sequences  whose  analog 
denotation  is  immediately  apparent.  A  set  II  of  timed  state  sequences  is  called  transparent 
iff 

PI  =  Bchp): 

that  is,  a  transparent  set  II  specifics  under  stuttering  precisely  the  behaviors  in  11.  Note 
that  all  sets  of  timed  state  sequences  that  are  closed  under  stuttering  are  transparent. 

1.1.3  Digital-clock  semantics 

Recall  we  assume  that  successive  clock  ticks  of  a  digital  clock  are  precisely  one  time 
nnit  apart.  In  other  words,  we  scale  time  so  that  a  time  unit  corresponds  to  the  distance 
between  two  ticks  of  a  digital  clock.  Still,  there  are  infinitely  many  “different”  digital  clocks 
that  meet  this  requirement  —  one  for  every  real  number  0  <  €  <  1,  which  determines  the 
absolute  tirnos  at  which  the  clock  ticks  occur.  It  wiU  be  useful  to  have  all  of  these  clocks 
available.  Thus  we  shall  henceforth  identify  digital  clocks  with  reals  in  the  interval  [0, 1). 
For  example,  the  digital  dock  0.5  ticks  first  at  tune  0.5,  then  at  time  1.5,  then  at  tune  2.5, 
and  so  on. 

Digitization 

If  the  tiTn«»s  of  a  sequence  p  6  TSSr  of  snapshots  are  recorded  by  a  digital  dock  « ,  we  obtain 
a  timed  state  sequence,  denoted  by  [p]„  over  N.  For  any  timed  state  sequence  p  =  (<r,T) 
and  digital  dock  0  <  €  <  1,  let  the  digitization  [p]*  =  (a,  [T],)  of  p  with  respect  to  c  be  the 
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timed  state  sequence 

K,[To]<)  —  («ri,[Ti]0  (tr2,[Tj]e)  —  (<73,(73],)  —  •••, 

where  [i']«  =  [xj  if  x  <  [xj  +  6,  else  [a;]*  =  fz].  In  words,  the  digitisation  [p]t  results  from  p 
by  rounding,  with  respect  to  €,  all  times  to  integers.  For  example,  if  p  is  the  timed  state 
sequence 


(a,  0.1)  — .  (6,0.5)  — .  (c,0.6)  (d,1.4)  — .  (e,5)  — .  (/,6.9), 

then  [p]o.5  is  the  timed  state  sequence 

(a,0)  (6,0)  (c,l)  (d,l)  (e,5)  (/,7). 

For  a  set  11  of  timed  state  sequences,  let  [11]  C  TSS^i  be  the  set  of  ah  digitizations  of 
sequences  in  11: 

pI]  =  {[p]«  I  p  €  n  and  0  <  e  <  1}; 

if  p  €  r55,  then  [{p}]  is  abbreviated  to  [p].  Note  that  if  n  is  a  set  of  timed  state  sequences 
over  N,  then  [H]  =  H. 

Digitization  semantics 

Now  let  us  define  our  interpretation  of  digitally  timed  state  sequences.  Recall  that  every 
digitally  timed  state  sequence  p  stands,  in  fact,  for  its  stuttering  closure  r|,(p)  C  TSSf^.  We 
have  already  pointed  out  that  the  digital-clock  model  involves  two  layers  ai  abstractions: 

1.  First  we  wiU  associate  with  a  set  11  C  TSSf^  of  digitally  timed  observation  sequences 
a  set  [r)i(n)]*^  C  TSSf^  of  precisely  timed  observation  sequences. 

2.  Then  we  will  use  the  analog-clock  semantics  of  [r{|(n)]^^  to  define  the  set  of 
real-time  behaviors  denoted  by  H. 

If  we  have  only  a  particular  —  or,  worse  yet,  an  unknown  —  digital  clock  to  time-stamp 
observations,  there  is  a  large  number  of  precisely  timed  state  sequences  that  may  result 
in  a  given  sequence  of  digitally  timed  snapshots.  To  reduce  the  degree  of  ambiguity,  we 
assume  that  all  digital  clocks  are,  simultaneously,  available  when  observing  the  behavior  of 
a  system.  Thus  we  obtain  infinitely  many  —  though  not  necessarily  distinct  — -  digitally 
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timed  state  sequences  frcm  every  precisely  timed  state  sequence.  For  example,  the  timed 
state  sequence 

(a,  0.5)  — (6,0.5) 

results,  depending  on  which  digital  clock  is  used,  in  one  of  the  two  digitally  timed  state 
sequences  in  the  set 

n  =  {(a,0)  —  (6,0),  (a,l)  — (6,1)}. 

Moreover,  a  subset  of  H  is  obtained  by  simultaneous  digitization  with  all  digital  clocks  from 
(and  only  from)  T>rprisely  timed  state  seonences  of  the  form 

(a,6)  — (6,^) 

with  0  <  6  <  1.  These  are  the  precisely  timed  observation  sequences  that  are,  in  our 
interpretation  of  the  digital-dock  model,  taken  to  be  consistent  with  the  set  11  of  digitally 
timed  observation  sequences. 

Formally,  a  set  11  of  timed  state  sequences  over  N  is  said  to  specify  under  digitization 
the  set 

[n]-'  =  {/>  €  rs5R  1  [p]  c  n} 

of  timed  state  sequences  over  R  all  of  whose  digitizations  are  contained  in  H.  It  is  not  hard 
to  see  that,  in  particular,  =  {p}  for  all  p  €  TSS^.  Moreover, 

c  [Hiunji-i 

for  all  Hi, Hi  C  TSSj^.  In  general  this  subset  relationship,  and  thus  the  subset  relationship 
n  C  [n]“^  for  all  n  C  TSSn,  is  a  proper  one.  The  “inverse”  notation  for  [H]"*  stems  from 
the  observation  that  [[H]"^]  =  H.  Inverse  digitization  preserves  the  following  properties  of 
sets  of  timed  state  sequences: 

Lemnu:  1.2  (Inverse  digitization)  For  every  set  11  of  digitally  timed  state  sequences: 

(1)  Dem]-^)  =  [Dem]-^. 

(2)  If  U  is  weakly  closed  under  stuttering,  then  so  is  [n]~*. 

(3)  7/  n  is  closed  under  stuttering,  then  so  is  [11]“^. 
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Proof  of  Lemma  1,2  (1)  To  see  that  C  [Z)ef(n)]“\  observe  that  whenever  a 

precisely  timed  state  sequence  p  is  deterministic,  then  so  is  the  set  [/?]  of  digitizations.  To 
see  thai  C  note  that  if  p  is  not  deterministic,  then  there  is  some 

0  <  €  <  1  such  that  the  digitization  [/?]«  is  not  deterministic  either. 

(2)  We  suppose  that  Jx  is  weakly  closed  under  stuttering  and  show  that  is  weakly 
closed  tmder  stuttering.  Assume  that  p  €  [11]“^  —  that  is,  [p]  C  II  —  and  that  p*  6  r(p) 
for  two  precisely  timed  state  sequences  p  and  /)'.  Then 

[p']  C  [Tip)]  c  r(W)  c  r(n)  c  n, 

which  implies  that  p'  €  [n]*^. 

(3)  We  suppose  that  11  is  closed  under  stuttering;  since  part  (2)  implies  that  [11]"^ 

is  weakly  closed  under  stuttering,  it  suffices  to  show  that  C  [11]“^.  Assume  that 

p  G  tl[n]“^;  that  is,  p  =  !]/>'  for  some  precisely  timed  state  sequence  p*  with  [/?']  C  11.  Then 
tl[p']  C  bn  and,  as  n  is  closed  imder  stuttering,  [Ijp']  C  11,  which  implies  that  p  €  [11]’“^.  B 

We  let  a  set  11  of  digitally  timed  state  sequences  represent  the  set  [rj;(n)]“^  of  precisely 
timed  state  sequences  all  of  whose  digitizations  are  contained  in  the  stuttering  closure  of  11. 
It  follows  that  n  denotes  in  the  digital-clock  model  the  set 

IhJn  =  I[rfc(n)]-^1 

of  real-time  behaviors;  we  refer  to  this  set  as  the  digital  denotation  of  11.  By  Lemma  1.2, 
the  digital  denotation  of  11  can  be  characterized  as  follows: 

PIn  =  5cA([r,(n)]-i)  =  ii[i)cf(rt(n))]-^ 

We  point  out  that,  unlike  in  the  precisely  timed  case,  weak  closure  under  stuttering  is 
insufficient  to  define  the  denotation  of  a  set  of  digitally  timed  state  sequences.  For  example, 
we  want  the  set  that  contains  all  digitally  timed  state  sequences  of  the  form  that  n  €  N 
identical  observations  (ao,0)  are  followed  by  the  observation  sequence 

(oo.O)  — ►  (ai,0)  — ^  •••  — ►  (o„-:,n-l)  — »  (o„,n-l)  ♦ 

(onjTi  +  l)  — ►  (o„+i,n+  1)  — »  (an+i,n  +  2)  — ►  (o„+2»n  +  2)  — ►  ••• 

to  denote,  among  others,  the  real-time  behavior 

(ao,0)  — ►  (ai,0)  — ►  — *  (®3,2-)  — ►  •••. 
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Two  sets  of  timed  state  sequences  N  are  called  digitally  eguivalent  iff  they  have  the  same 
digital  denotations.  For  example,  the  singleton  set  that  contains  the  timed  state  sequence 

(a,0)  —  (6,1) 

is  digitally  equivalent  to  the  set  that  contains  the  two  timed  state  sequences 

(a,0)  — (6,0)  and  (a,l)  —  (6,1). 

Also,  any  two  sets  of  digitsdly  timed  state  sequences  with  the  same  stuttering  closure  are 
digitally  eqmvalent. 


1.2  Real-time  Properties 

We  will  define  the  formal  semantics  of  a  reactive  system  to  be  a  set  of  infinite  timed  state 
sequences.  Such  a  set  is  called  a  (real-time)  property.  In  accordance  with  different  clock 
models,  we  distinguish  analog,  digital,  and  untimed  properties.  Recall  that  both  analog 
and  digital  properties  denote  sets  of  real-time  behaviors:  an  analog  property  11  C  TSSp 
represents  its  analog  denotation  |II];  a  digital  property  11  C  TSSfj  represents  its  digital 
denotation  |n|(^.  An  untimed  property  II  denotes  the  set  |n|  of  untimed  behaviors. 

Let  |5|  be  the  set  of  possible  real-time  behaviors  of  the  reactive  system  5.  The  ona- 
log  semantics  11^(5)  of  S  ought  to  be  an  analog  property  that  denotes  |5I;  the  digital 
semantics  11^(5)  of  5,  a  digital  property  that  denotes  [S].  Note  that  there  are  reactive 
systems  without  a  suitable  digital  semantics;  that  is,  not  every  set  of  real-time  behaviors  is 
represented  by  some  digital  property.  For  example,  no  set  of  digitally  timed  state  sequences 
denotes  the  singleton  set  that  ccmtains  the  real-time  behavior 

(0,0.5)  —  (6,0.5); 

in  other  words,  our  digital-dock  model  is  not  expressive  enough  to  model  a  reactive  system 
whose  only  possible  behavior  is  the  given  one.  We  refer  to  the  reactive  systems  for  which 
there  is  a  suitable  distal  semantics  as  digitizable.  Thus,  the  digital-clock  model  restricts  us 
to  the  study  of  digitizable  systems. 

In  the  analog-dock  model,  no  such  limitation  arises,  because  every  set  $  of  real-time 
behaviors  is  denoted  by  some  analog  property  —  the  set  9  itself,  with  all  finite  sequences 
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in  ^  being  extended  by  inSnite  stuttering  of  the  ftnal  observation.  Yet  we  shall  not  permit 
all  analog  properties  as  being  a  suitable  semantics  of  a  system.  This  is  because  we  want  de¬ 
scriptions  of  reactive  systems  to  have  certain  properties,  which  put  four  additional  demands 
on  the  analog  semantics  of  a  system  and  its  presentation: 

Transparency  We  want  a  system  description  to  be  transparent;  that  is,  we  want  the 
behaviors  in  the  analog  semantics  of  a  system  S  to  be  exactly  the  possible  real-time 
behaviors  of  5: 

IS}  =  [nR(5)l  =  5eA(nR(5)). 

Refinability  We  want  a  system  description  to  be  refinable.  This  is  the  case  if  its  analog 
semantics  is  weakly  closed  under  stuttering. 

Dlgitizability  WTien  using  the  digital  clock  model  —  and  we  shall  use  it  extensively  for 
verification  —  we  want  a  system  description  to  be  uniform,  independent  of  the  clock 
model  We  will  show  that  this  is  the  case  if  its  analog  semantics  is  closed  under  a 
condition  we  call  “digitizability.” 

Operatic  oality  We  want  a  system  description  to  be  exeentable.  We  will  show  that  this  is 
the  case  if  its  analog  semantics  is  presented  in  a  way  that  we  call  “operational.” 

We  shall  restrict  ourselves  to  system  descriptions  tL%t  satisfy  all  four  criteria.  Although 
this  restriction  will  greatly  influence  our  choice  of  languages  to  describe  reactive  systems, 
it  does  not  limit  the  set  of  systems  under  consideration  —  the  digitizable  ones,  which  can 
be  modeled  adequately  in  both  clock  models.  This  is  because  we  will  show  that  the  set 
of  real-time  behaviors  of  every  digitizable  system  is  denoted  by  an  analog  property  that 
is  closed  imder  stuttering,  digitizable,  and  given  operationally.  Note  that  closure  under 
stuttering  implies  both  the  req\]irement  of  transparency  and  the  requirement  of  refinability. 
In  the  following  three  subsections,  we  discuss  the  three  issues  of  refinability,  digitizability, 
and  operationality  one  by  one. 

1.2.1  Refinability 

So  far,  we  have  implicitly  associated  a  fixed  set  of  global  states  with  every  reactive  system. 
This  static  view  prohibits  the  study  of  large  systems  for  mansigerial  reasons.  In  particu¬ 
lar,  with  every  step  in  the  hierarchical  specification,  design,  and  verification  of  a  complex 
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reactive  system,  the  state  sp...e  is  refined  by  enlarging  its  visible  portion.  The  vertical 
decomposition  of  systems  can  be  formalked  by  refinement  mappings  between  increasingly 
detailed  system  descriptions.  Since  expansion  of  the  visible  portion  of  the  state  space  can 
increase  the  frequency  at  which  state  changes  are  observed,  the  formal  semantics  of  a  sys¬ 
tem  description  needs  to  be  weakly  closed  imder  stuttering  to  guarantee  the  existence  of 
refinement  mappings  [78]. 

Let  $  be  a  set  of  behaviors.  We  say  that  the  property  II  is  a  refinable  specification  of  ^ 
iff 


(1)  n  specifies  under  stuttering  and 

(2)  n  is  weakly  closed  tmder  stuttering. 

For  example,  the  stuttering  closure  rii($)  =  r($)  is  a  refinable  specification  of  'f ,  which 
implies  that  every  set  of  behaviors  has  a  refinable  specification.  Moreover,  two  distinct  sets 
of  behaviors  cannot  have  the  same  refinable  specification. 

In  the  analog-clock  model,  a  refinable  specification  11  C  TSSr  of  a  set  9  of  real-time 
behaviors  is  called  an  analog  specification  of  9.  We  have  argued  that  the  analog  semantics 
IIr(5)  of  a  reactive  system  S  ought  to  be  an  analog  specification  of  the  set  I5|  of  possible 
real-time  behaviors  of  S.  Although  the  formal  semantics  of  a  reactive  system  has  to  be 
sufficiently  discriminative,  we  like  it  to  be  not  unnecessarily  discriminative  either;  that 
is,  we  look  for  a  one-to-one  correspondence  between  properties  that  represent  the  formal 
seinantics  of  reactive  systems  and  properties  that  represent  the  possible  behaviors  of  reactive 
systems.  There  are,  however,  in  general  infinitely  many  refinable  specifications  of  a  set  of 
behaviors.  Thus,  for  every  set  ®  of  real-time  behaviors,  we  designate  a  particular  refinable 
specification  of  $  as  the  analog  semantics  of  all  reactive  systems  5  with  |[5]  =  9.  There 
are  two  obvious  candidates  for  11^(5),  which  will  be  discussed  in  turn. 

Interval  semantics 

One  option  is  to  agree  that  the  set  of  all  infinite  sequences  in  the  stuttering  closure  r($) 
serves  as  the  analog  semantics  of  a  system  whose  possible  real-time  behaviors  are  $.  Since 
the  stuttering  closure  of  $  is  deterministic,  this  amounts  to  restricting  ourselves  to  deter¬ 
ministic  timed  state  sequences  when  modeling  reactive  systems.  Note  that  a  deterministic 
timed  state  sequence  can,  alternatively,  be  viewed  as  a  state  interval  sequence,  in  which  a 
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clofed  time  inter'val  is  associated  with  every  state  and  adjacent  intervals  have  overlapping 
end-points;  for  example,  the  deterministic  timed  state  sequence 

(a,l)  (6,1)  —  (6,3)  — .  (6,4)  — *  (c,4)  (d,4)  —  (d,5)  —  (<,5) 

corresponds  to  the  state  intcnral  sequence 

(a, [0,1])  —  (6,[1,3])  —  (6.[3.4])  -»  (c,[4,4])  —  (d,[4,5])  (e,[5,a;)) 

(which  is  not  stutter-free).  Recall  that  the  point-wise  overlap  of  intervals  is  necessary  to 
accommodate  interleaving.  We  took  this  approach  of  modeling  real-time  behavior  by  state 
intern's!  sequences  at  a  different  opportunity  [57]. 

We  find  it  more  convenient  to  allow  arbitrary  —  not  necessarily  deterministic  —  timed 
state  sequences  when  defining  the  formal  semantics  of  reactive  systems;  they  permit  us,  for 
example,  to  characterize  a  reactive  system  that  changes  its  state  from  a  to  5,  nondetermin- 
istically,  at  any  time  between  0  and  1  simply  by  the  stuttering  closure  of  the  timed  state 
sequence 

(a,0)  (6,1), 

rather  than  the  stuttering  clostarc  of  an  infinite  set  of  deterministic  timed  state  sequences. 
Hence  we  will  take  the  analog  semantics  of  a  reactive  system  with  the  set  9  of  possible 
real-time  behaviors  to  contain  more  observation  sequences  than  r($). 

Maximal  refinable  semantics 

It  is  not  hard  to  see  that  the  refinable  specifications  of  any  set  9  of  behaviors  are  closed 
under  arbitrary  unions  (as  well  as  under  finite  intersections).  It  follows  that  9  has  a  unique 
maximal  refinable  specification  —  the  union  of  all  refinable  specifications  of  9,  which  can, 
alternatively,  be  defined  as  follows.  A  set  II  of  timed  state  sequences  is  said  to  be  maxirnaUy 
closed  under  stuttering  iff  for  all  timed  state  sequences  p, 

fp]  C  |n]  irtqplies  p  €  H. 

The  refinement  closure  rm«x(n)  of  11  is  the  smallest  set  of  timed  state  sequences  that 
contains  11  and  is  maximally  closed  under  stuttering.  It  is  not  hard  to  see  that 


r(n)  c  T^iiL)  c  r„^(n) 
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for  every  set  11  of  timed  state  sequences.  However,  unlike  ordinar}*  clostirc  imder  stuttering, 
maixiraal  closure  tinder  stuttering  docs  not  preserve  determinism  —  if  11  is  deterministic, 
rfna*(n)  need  net  be.  For  example,  the  refinement  closure  of  the  deterministic  set  that 
contains  all  timed  state  sequences  of  the  form 

{a,6)-^{b,S) 

with  0  <  f  <  1  contains  the  nondeterministic  timed  state  sequence 

(a,0)  (6,1). 

The  following  proposition  shows  that  the  refinement  closure  of  11  is  the  largest  set  that 
specifies  |nj  under  stuttering. 

Proposition  1.1  (Largest  refinable  specification)  For  any  set  11  of  timed  state  se¬ 
quences,  the  refinement  closure  Fmaxin)  is  a  refinable  specification  of  the  set  |nj  of  behav¬ 
iors.  Moreover,  if  the  set  H'  of  timed  state  sequences  is  equivalent  to  11  under  stuttering, 
then  W  C  r„^(n). 

Proof  of  Proposition  1.1  (1)  First,  we  show  that  rm«*(n)  spedfles  pi]  under  stuttering; 
that  is,  [rBu«(n)l  =  HI!].  Since  11  C  rm««(n),  we  have  that  |II|  C  [rm4»(n)|.  To  show 
the  converse  containment,  suppose,  to  the  contrary,  that  there  is  a  behavior  p  €  |rn,a,(II)| 
such  that  p  ^  in].  Since  rnMc(n)  is  maximally  closed  under  stuttering,  p  €  FmasCn).  Now 
it  is  not  hard  to  see  that  the  set 

rm..(n)-{/)'6r5S|p€r(/)} 

is  a  proper  subset  of  FmacIII)  that  contains  n  stnd  is  msiximaUy  closed  under  stuttering, 
which  contradicts  the  definition  of  rm«>(n). 

(2)  Secondly,  we  show  that  every  set  that  specifies  pi]  under  stuttering  is  contained 
ia  rmac(n).  Consider  an  arbitrary  timed  state  sequence  p  such  that  p  ^  rmac(n)  and  an 
arbitrary  set  H'  C  TSS  with  in'])  =  IH];  we  show  that  p  (  TV.  Since  rm«*(n)  is  maximally 
closed  under  stuttering,  there  is  a  behavior  p'  €  |p]  such  that  />'  ^  [II].  It  follows  that 
p'  ^  in'!  and,  therefore,  that  p  ^  11'. 

(3)  Thirdly,  recall  that  FnMxCII)  and  its  stuttering  closure  are  equivalent  under  stutter¬ 
ing.  Hence  parts  (1)  and  (2)  put  together  imply  that  FnusCII)  is  closed  under  stuttering 
and,  thus,  is  a  refinable  specification  of  IH].  ■ 
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Corollary  1.1  (ReSncment  closure)  For  all  timed  state  sequences  p  and  sets  Tl  of  iimed 
state  sequences,  p  €  r„„(n)  iff  |/j|  C  JH]. 

It  follows  that  the  refinement  dosxire  of  a  set  $  of  behaviors  is  the  TnaTirrml  refinabk 
specification  of  $ .  Moreover, 

r(®)  =  rt(®)  =  23e<(r„„('j)) 

for  every  set  $  of  behaviors.  The  refinement  closure  induces  a  bijection  between  all  sets 
$  of  behaviors  and  all  sets  n  of  timed  state  sequences  that  are  maximally  closed  under 
stuttering: 


BA 


n 

rmttC 


We  shall  take  the  infinite  sequences  in  )  as  the  analog  semantics  of  a  reactive  system 

with  the  set of  possible  real-time  behaviors.  This  decision  is  consistent  with  the  untimed 
use  of  the  stuttering  closure,  because  ordinary  and  maximal  closure  under  st*,  ^tering  collapse 
in  the  untimed  model:  =  r(^?)  for  every  set  $  of  untimed  behaviors. 

1.2.2  Digitizability 

Let  be  a  set  real-time  behaviors.  We  say  that  a  digital  property  II  is  a  digital  specifi¬ 
cation  of  $  iff  $  is  the  digital  denotation  of  n.  We  have  argued  that  the  digital  semantics 
11^(5)  of  a  reactive  system  5  ought  to  be  a  digital  specification  of  the  set  JSI  of  possible 
real-time  behaviors  of  S.  However,  as  we  have  already  pointed  out,  not  every  set  of  real-time 
behaviors  has  a  digital  specification.  Let  us  now  give  a  necessary  and  sufficient  condition 
for  a  set  of  real-time  behaviors  to  have  a  digital  specification. 


Digital  specifiability 

For  this  purpose  we  need  the  follcwing  definitions.  A  set  II  of  timed  state  sequences  is 
called  closed  under  digitization  iff  [II]  C  11;  it  is  inversely  closed  under  digitisation  iif 
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[p]  C  n  implies  p  C  11  for  all  timed  state  s^^quences  p  over  R;  it  is  digiiizahle  iff  it  is  both 
closed  and  inversely  closed  under  digitization.  Clearly,  11  is  digitizable  iff,  for  all  p  6  T55|^, 

p€n  iff  [p]cn. 

Note  that  if  11  is  digitizable,  then  [[11]]“*^  =  H. 

Proposition  1.2  (Digital  specifiability)  Givm  a  set  $  of  real-time  behaviors^  the  fob 
lowing  conditions  are  equivalent: 

(1)  has  a  digital  specification. 

(2)  9  has  a  digiiizahle  analog  specification. 

(S)  The  refinement  closure  TrMs{^)  is  digitizable. 

(4)  The  stuttering  closure  r||($)  =  r($)  is  digitizable. 

Proof  of  Proposition  1.2  (1)=>(2)  Suppose  that  $  has  a  digital  specification  11;  that 
is,  Pch([r|j(n)]*^)  =  We  show  that  [11,(11)]*^  is  a  digitizable  analog  specification  of  9. 
Lemma  1.2  implies  that  [1^(11)]*'^  is  closed  imder  stuttering  (although  it  is  in  general  not 
maximally  closed  imder  stuttering).  To  see  that  [r||(n)]“^  is  digitizable,  observe  that 

p  €  ir,(n)]-^  iff  [p]  c  rj(n)  iff  [[p]]  c  rj(n)  is\p]c  ^^(n)]-' 
for  all  p  €  r55p. 

(2)=>(3)  Suppose  that  11  C  TSSf^  is  digitizable  and  closed  under  stuttering.  By  Corol¬ 
lary  1.1,  we  have  that  Tmudin])  =  TmocCn);  thus  it  suffices  to  show  that  rmuCH)  is 
digitizable.  We  show  that  p  €  rnMc(n)  iff  [p]  C  rm4s(n)  for  an  arbitrary  p  €  TSSf(.  By 
Corollary  1.1,  it  suffices  to  show  that  [p]|  C  {n|  iff  [[pi]  C  |II]. 

First  we  suppose  that  [p]  C  (II|  and  show  that  [[p]]  C  [II].  Consider  an  arbitrary 
0  <  e  <  1  and  an  arbitrary  real-time  behavior  p'  €  [[p]c]|:  <ltow  that  p'  €  [H).  It  suffices 
to  show  that  p'  €  II  or,  because  II  is  digitizable,  that  [p'](<  €  n  for  an  arbitrary  0  <  e'  <1. 
It  is  not  hard  to  see  that  there  is  some  real-time  behavior  p"  €  |p|  such  that  [p"](  =  [p']<'. 
Since  [p]  C  |[n|,  we  have  that  p"  €  [II]  and,  as  II  is  closed  under  stuttering,  p"  €  H.  Since  n 
is  digitizable,  also  [p"),  €  II,  as  we  wanted  to  show. 

Now  we  suppose  that  [p]  g  [H]  —  that  is,  p*  €  [p]  and  p'  0  [II]  for  some  real-time 
behavior  p'  —  and  show  that  [[p]]  g  [n].  In  this  case,  p'  iVL  and,  as  II  is  digitizable. 
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[p']t  ^  n  for  some  0  <  €  <  1.  Since  11  is  dosed  imder  stuttering,  !][;.']«  ^  11  and,  therefore, 
^  in|.  Hence  g  |n]. 

(3) =»(4)  Recall  that  r($)  =  I^d(rma*($)).  Assume  that  II  C  TSS  is  digitizable;  we 
show  that  then  DtHJL)  is  digitizable  as  well.  To  see  that  p  €  jDct(n)  implies  \p]  C  Z?et(II), 
observe  that  whenever  p  G  TSSf^  is  deterministic,  then  so  is  \p].  To  see  that  [p]  C  i?et(n) 
implies  p  g  i)et(n),  note  that  if  p  is  not  deterministic,  then  there  is  some  0  <  e  <  1  such 
that  [p](  is  not  deterministic  either. 

(4) =>(1)  Suppose  that  r($)  =  rii('S?)  is  digitizable.  To  show  that  [ri|($)]  is  a  digital 
specification  of  it  suffices  to  show  that  [r|,([rj($)])]"^  =s  r|,(<P),  because  r|,(4')  specifies  $ 
under  stuttering.  First  observe  that  the  digitisability  of  r||('f)  implies  that  [r||($)]  C  r||($) 
and,  therefore,  that  r||[r|,($)]  C  r||(’®').  Now  consider  an  arbitrary  p  g  TSS^\  then 

fi  €  (rt([r6($)])]-*  iff  [p]  c  rj([rfc($)])  iff  [p]  c  rj($)  iff  p  g 

because  rj|($)  is  digitizable.  B 

It  follows  that  a  reactive  system  has  a  suitable  digital  semantics  iff  its  analog  semantics 
is  digitizable.  We  shall  restrict  ourselves  to  these  systems  —  the  digitizable  ones. 


Clock-independent  specifiability 


To  define  the  digital  semantics  of  digitizable  systems,  we  look  for  a  one-to-one  correspon¬ 
dence  between  digital  properties  and  sets  of  possible  behaviors  of  digitizable  systems.  There 
are,  however,  in  general  infinitely  many  digital  specifications  of  the  set  of  possible  behaviors 
of  a  digitizable  system.  Thus  we  designate,  for  every  set  9  of  real-time  behaviors  that  has 
a  digital  specification,  a  particular  digital  specification  of  $  as  the  digital  semantics  of  all 
reactive  systems  5  with  |5|  =  We  like  the  formal  semantics  of  a  reactive  system  5  to 
be  independent  of  the  clock  model;  that  is,  we  want  to  define  the  digital  semantics  n|^(5) 
of  5  simply  as  the  set  of  all  timed  state  sequences  over  N  in  the  analog  semantics  11^(5) 
of  5: 


nN(5)  =  nR(5)nr5SN. 


This  convention  would  allow  us  to  describe  the  formal  semantics  of  any  particular  reactive 
system  uniformly  —  independent  of  the  clock  model — as  the  set  of  all  timed  state  sequences 
that  satisfy  certain  requirements.  A  look  at  the  system  with  the  single  behavior 


(a, 0.5)  — .  (6,0.5) 
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shows  that  such  a  definition  is  in  general  highly  inappropriate;  yet  it  proves  workable  for 
all  digitizable  systems.  The  following  proposition  shows  that  for  all  digitizable  systems  S, 
the  set  of  timed  state  sequences  over  N  in  the  analog  semantics  rina*(|53)  of  S  is  indeed  a 
digital  specification  of  [5J.  We  find  it  convenient  to  write  11^  for  11  fl  TSS^y  for  any  set  11 
of  timed  state  sequences. 

Proposition  1.3  (Clock-independent  specifiability)  If  the  set  11  of  precisely  timed 
state  sequences  is  digitizable  and  closed  under  stuttering,  then  [H]  =  11^  and  this  set  [II]  of 
digitally  timed  state  sequences  is  a  digital  specification  of  the  set  JII]  of  real-time  behaviors. 

Proof  of  Proposition  1.3  (1)  First  observe  that  Ilfj  C  [n]  for  all  II  C  TSSp.  Now 
suppose  that  n  is  closed  under  digitization.  Then 

in]  =  PIn  c  Hn. 

(2)  To  see  that  [E]  is  a  digital  specification  of  IE]  if  E  is  both  digitizable  and  closed 
under  stuttering,  confer  part  (4)=^(1)  of  the  proof  of  Proposition  1.2.  M 

Recall  that  if  E  is  closed  under  stuttering,  then  [E|  =  Bc/i(E),  and  if  E  is  digitizable, 
then  E  =  [[E]]-^  It  follows  that  the  set  [E]  =  E^j  of  the  previous  proposition  specifies,  in 
the  digital-clock  model,  the  set  J3ch((lE]]~^ )  of  real-time  behaviors.  This  observation  reveals 
the  following  byection  between  all  sets  $  of  real-time  behaviors  with  digital  specifications 
and  some  sets  E  of  digitally  timed  state  sequences: 

Bdkd  ]-») 

E  «. 

(TimcC  )]=r«i«*( 

We  take  the  infinite  sequences  in  rm«»($)N  »*  digital  semantics  of  a  reactive  system 
with  the  set  $  of  possible  real-time  behaviors.  Proposition  1.3  pves  us  also  another  way  of 
looking  at  our  definition  of  digital  semantics.  Consider  a  digitizable  system  5  with  the  set 
55|  =  S?  of  possible  real-time  behaviors,  the  analog  semantics  E(^(F)  of  S  —  a  digitizable 
analog  specification  of  $  —  and  the  digital  semantics  En|(S)  of  5  —  a  diptal  specification 
of  Since  En(5)  =  Pr(S)], 


peER(5)  iff  WCEn(5) 
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for  all  precisely  timed  state  sequences  p.  This  property  of  the  digital  semantics  of  5  can 
be  intuitively  interpreted  as  the  following  two  requirements  on  IIfj(5).  Given  a  precisely 
timed  observation  sequence  p, 

1.  If  /)  observes  a  real-time  behavior  of  S,  then  all  digital  clocks  think  so.  Formally, 

[nR(5)]  c  nN(S). 

2.  If  aU  digital  clocks  think  that  p  observes  a  real-time  behavior  of  5,  then  they  are 
correct  (or,  equivalently,  if  p  does  not  observe  a  real-time  behavior  of  S,  then  some 
digital  clock  thinks  so).  Formally,  [p]  C  nN(S)  implies  p  £  11^(5).  This  demand 
asserts,  in  particular,  that  n|^(5)  C  11^(5)  and,  consequently,  that 

nN(5)  c  [nR(5)]. 

It  is  not  hard  to  see  that  since  the  analog  semantics  nR(5)  of  a  system  5  is  closed  under 
stuttering,  so  is  the  digital  semantics  II|\j(5)  =  (nR(5))N  in  the  digital-clock  model.  The 
following  proposition  implies  that  the  digital  semantics  is,  in  fact,  maximally  closed  under 
stuttering;  it  shows  that  our  choice  of  digital  semantics  is,  consistent  with  the  analog  and 
untimed  cases,  again  a  maximal  one. 

Proposition  1.4  (Largest  digital  specification)  For  every  set  9  of  real-time  behaviors 
and  every  digital  specification  11  C  TSSfi  of  9,  we  have  11  C  rTOor($)nj. 

Proof  of  Proposition  1.4  We  suppose  that  plj|^  =  $,  consider  an  arbitrary  digitally 
timed  state  sequence  p  €  H,  and  show  that  p  €  rmM(®).  By  Corollary  1.1,  it  suffices  to 
show  that  Ip]  C  $.  Consider  an  arbitrary  real-time  behavior  p'  €  |p];  we  show  that  p'  £  9. 
Since  p  £  H,  we  have  that  p'  €  r|j(n).  Then, 

[pT  c  (r,(n)]  c  rm)  =  rs(n), 

which  implies  that  p'  £  [r|j(II)]“^.  As  Beh([r(|(II)]~*)  =  9,  also  p'  £  $  as  desired.  ■ 

1.2.3  Safety,  liveness,  and  operationality 

Reactive  systems  define  real-time  properties.  In  the  analog-clock  model,  the  system  5 
defines  the  analog  property  nR(5);  in  the  digital-clock  model,  5  defines  the  digital  property 
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11^(5)  =  (nR(5))M ;  in  the  untimed  model,  the  untiined  property  ni(5).  If  the  time  domain 
is  immaterial,  we  omit  the  subscript  as  usual  and  say  that  the  system  5  defines  (specifies) 
the  property  11(5)  C  TSS'^.  On  the  other  hand,  5  is  said  to  satisfy  (implement)  a  property 
n  C  r55"  iff 

n(5)  c  n. 

Verification  of  5  is  the  task  of  proving  that  5  satisfies  certain  properties.  It  is  useful  to 
classify  properties  of  reactive  systems  into  two  categories  —  safety  properties  and  liveness 
properties  —  because  they  require  fundamentally  different  means  for  their  specification 
and  verification  [76].  Thus  we  extend  the  standard  safety-liveness  classification  of  untimed 
properties  to  real-time  properties. 

Real-time  safety  and  liveness 

•  A  safety  property  stipulates  that  “nothing  bad”  will  happen,  ever,  during  the  execu¬ 
tion  of  a  system.  If  “something  bad”  were  to  happen  during  the  execution,  it  would 
have  to  happen  within  a  finite  number  of  observations.  Thus  we  can  formalire  safety 
as  follows: 

A  set  n  of  infinite  timed  state  sequences  is  a  (real-time)  safety  property  iff 
for  all  infinite  timed  state  sequences  p,  whenever  every  finite  prefix  of  p  can 
be  extended  to  a  sequence  in  11,  then  p  €  II. 

•  A  liveness  property  stipulates  that  “something  good”  will  happen,  eventually,  during 
the  execution  of  a  system.  If  “nothing  good”  were  to  happen  during  the  execution,  an 
irremediable  situation  would  have  to  be  reached  within  a  finite  number  of  observations. 
Thus  we  can  formalize  liveness  as  follows: 

A  set  n  of  infinite  timed  state  sequences  is  a  (real-time)  liveness  property 
iff  every  finite  timed  state  sequence  can  be  extended  to  a  sequence  in  II. 

These  definitions  generalize  the  corresponding  untimed  notions  of  safety,  as  defined  by 
Alpem,  Demers,  and  Schneider  [4],  and  liveness,  as  defined  by  Alpem  and  Schneider  [5]: 
in  the  untimed  model,  n  is  a  real-time  safety  property  iff  11“  is  a  safety  property,  and  II 
is  a  real-time  liveness  property  iff  11“  is  a  liveness  property.  In  fact,  we  show  that  this 
correlation  holds,  independent  of  the  clock  model,  for  all  time-invariant  properties.  A  set  II 
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of  timed  state  sequences  is  called  time-invariant  iff,  for  all  timed  state  sequences  p  =  ((r,T) 
and  />'  =  (o’jT'),  if  p  6  11  then  p'  €  H;  that  is, 

pen  iff  p~  e  n~ 

for  all  p  €  TSS.  Note  that  in  the  untimed  model,  every  property  is  time-invariant. 

Proposition  1.5  (Time-invariant  safety  and  liveness)  If  U  is  a  time-invariant  real¬ 
time  property,  then  11  is  a  real-time  safety  property  iff  Il~  is  a  safety  property,  and 
(SJU  is  a  real-time  liveness  property  iff  IL~  is  a  liveness  property. 

Proof  of  Proposition  1.5  (1)  To  show  that  the  safety  of  11  implies  the  safety  of  11“, 
consider  an  arbitrary  infinite  state  sequence  a  and  suppose  that  every  finite  prefix  rP,  for 
f  >  0,  of  er  can  be  extended  to  a  sequence  Oi  €  II“;  we  show  that  o  €  H".  Let  T  be  any 
infinite  time  sequence  that  satisfies  the  monotonicity  and  progress  conditions.  Since  H  is 
time-invariant,  (<r,-,T)  €  11  for  all  i  >  0  and,  as  II  is  safe,  also  (<r,T)  €  II,  which  implies 
that  <r  €  n“. 

To  show  that  the  safety  of  11“  implies  the  safety  of  n,  consider  an  arbitrary  infinite 
timed  state  sequence  p  and  suppose  that  every  finite  prefix  p*  of  p  can  be  extended  to  a 
sequence  pi  €  11;  we  show  that  p  €  H.  Since  n  is  time-invariant,  it  suffices  to  show  that 
p“  €11“.  Since  11“  is  safe,  it  suffices  to  show  that  every  finite  prefix  of  p“  can  be  extended 
to  a  sequence  in  11“,  which  fellows  from  our  assimiption  (extend  (p“)‘  to  p^). 

(2)  To  show  that  the  liveness  of  II  implies  the  liveness  of  II“,  consider  an  arbitrary  finite 
state  sequence  r,  we  show  that  a  can  be  extended  to  a  sequence  in  11“.  Let  p  be  any  finite 
timed  state  sequence  with  p“  =  e.  Since  11  is  live,  p  can  be  extended  to  an  infinite  timed 
state  sequence  p'  €  H.  Clearly,  p'“  €  11“  is  an  extension  of  e. 

To  show  that  the  liveness  of  11“  implies  the  Uveness  of  11,  consider  an  arbitrary  finite 
timed  state  sequence  p;  we  show  that  p  can  be  extended  to  a  sequence  in  11.  Since  11“  is 
live,  p“  can  be  extended  to  an  infinite  state  sequence  <r  g  11“.  Let  p'  be  any  infinite  timed 
state  sequence  extending  p  such  that  p'“  =  a.  Since  11  is  time-invariant,  p'  €  II  as  desired. 

■ 

Moreover,  the  safety  and  liveness  of  any  digital  property  that  is  defined  by  a  reactive 
system  5  is  determined  by  the  analog  semantics  of  5.  This  is  shown  by  the  following 
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proposition,  which  states  that  the  safety  and  liveness  of  digitizabk  properties  is  invariant 
under  digitization. 


Proposition  1.6  (Digitizable  safety  and  liveness)  Lei  U  be  a  digitizable  analog  prop¬ 
erty. 


(1)  TL  is  a  safety  property  iff  is  a  safety  property. 

(2)  If  li  is  a  liveness  property,  then  so  is 

Proof  of  Proposition  1.6  (1)  It  is  not  hard  to  see  chat  the  safety  of  11  implies  the  safety 
ofn^  for  all  nc  TSS^. 

To  see  that  the  safety  of  implies  the  safety  of  H,  consider  an  arbitrary  infinite 
sequence  /?  H;  we  show  that  there  is  a  finite  prefix  p*  of  p  that  cannot  be  extended  to  an 
infinite  sequence  in  11.  Since  IT  is  digitizable,  there  is  some  0  <  €  <  1  such  that  [p]«  0  IIpj. 
Since  II|^  is  safe,  there  is  some  finite  prefix  [/>]J  of  [p]e  that  cannot  be  extended  to  an  infinite 
sequence  in  II|g.  It  follows  p*  cannot  be  extended  to  an  infinite  sequence  p'  €  H:  otherwise 
the  extension  [p']c  of  [p]\  would  be  in  Iljg ,  because  II  is  digitizable. 

(2)  To  see  that  the  liveness  of  11  implies  the  liveness  of  Hj^,  consider  an  arbitrary  finite 
sequence  p  €  TJSjlJ.  Since  II  is  live,  p  can  be  extended  into  an  infinite  sequence  p'  E  n 
and,  as  n  is  closed  under  digitization,  the  extension  [p']c  of  p  is  in  Ilf^  for  any  0  <  c  <  1.  B 

In  general  there  is,  however,  no  obvious  correspondence  between  timed  and  untimed 
safety  and  liveness.  Consider,  for  example,  the  bounded-response  property  Rf  that  contains 
an  infinite  timed  state  sequence  (<r,T)  iff  for  all  i  >  0,  whenever  Ci  =  o,  then  Cj  =  b  and 
Tj  <  Tj  +  5  for  some  j  >  t;  that  is,  every  observation  that  shows  state  a  is  followed  by 
an  observation  that  shows  state  b  within  time  S.  Then  Ilf  “  is  the  untimed,  unbounded 
response  property  that  specifies  that  every  state  a  is,  eventually,  followed  by  a  state  6;  it 
contains  an  infinite  sequence  <t  of  states  iff  for  all  i  >  0,  whenever  Oj  =  a,  then  (Tj  =  b 
for  some  j  >  t.  Since  every  finite  prefix  of  a  state  sequence  can  be  extended  to  contain 
a  state  6,  the  response  property  Ilf  “  is  a  liveness  property.  On  the  other  hand,  in  both 
the  analog-clock  and  the  digital-clock  model  the  bounded-response  property  Ilf  is  not  live, 
because  the  finite  prefix 

(a,0)^(6,f  +  l) 


\ 

\ 
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cannot  be  extended  to  a  timed  state  sequence  in  Note  that  11^  is,  in  fact,  safe  in  both 
the  anaJog-clock  and  the  digital-dock  model:  if  an  infinite  timed  state  sequence  p  =  (<3^,T) 
is  not  in  Ilf,  then  it  contains  an  observation  pi  =  {a,Tj)  and,  because  time  progresses,  a 
later  observation  />j,  for  j  >  *,  such  that  Tj  >  Tj  -r  5  and  cr^  ^  fc  for  all  t  <  ib  <  j\  moreover, 
the  finite  prefix  fp  cannot  be  extended  to  an  infinite  sequence  in  Uf,  The  “bad  thing” 
that  is  not  supposed  to  happen  is  that,  after  observing  state  a,  time  S  passes  without  an 
observation  of  state  6. 

It  follows  that  the  traditional  safety-liveness  dassification  of  properties,  which  consid¬ 
ers  only  state  components,  does  not  fit  for  real-time  properties.  Time  cannot  be  ignored, 
because  its  implidt  “liveness,”  as  guaranteed  by  the  progress  condition  on  timed  state  se¬ 
quences,  shifts  the  spectrum  of  real-time  properties  towards  the  safety  side  —  an  observation 
that  has  been  made  repeatedly  [79,  85,  115,  116],  It  is  piecisdy  this  phenomenon  that  has 
been  captured  formally  by  our  definitions  of  real-time  safety  and  liveness;  instead  of  looking 
at  all  infinite  sequences  of  observations,  we  have  restricted  ourselves,  a  priori,  to  timed  state 
sequences,  which  satisfy  the  monotonicity  and  progress  conditions  on  time. 

In  the  following  segment,  we  relate  the  timed  and  untimed  dassifications  of  properties 
by  giving  a  general  topological  characterization  of  safety  and  liveness  under  unspecified 
assumptions  about  states  and  time.  For  this  purpose  we  need  to  consider  arbitrary  infinite 
sequences  of  obseiwations  rather  than  just  timed  state  sequences.  We  use  the  following  local 
conventions  for  the  remainder  of  this  subsection.  Let  O  be  a  set  of  observations.  If  $  is 
a  subset  of  the  set  0"  of  all  infinite  observation  sequences,  we  say  that  every  set  n  C  $ 
is  a  ^-property.  Thus  r55"-properties  are  real-time  properties;  we  refer  to  0"-properties 
as  unconditional  Whenever  the  value  of  the  parameter  §  is  not  mentioned  expiidtly,  it 
is  unspecified,  rather  than  TSS^  as  in  the  other  parts  of  this  thesis.  For  example,  in  the 
remainder  of  this  subsection,  a  “property”  may  be  any  subset  of  0". 

Relative  safety  and  liveness 

Suppose  that,  for  whatever  reason,  all  legal  observation  sequences  satisfy  certain  require¬ 
ments  on  states  and  time.  These  requirements  can  be  characterized  by  a  property  §  C  0", 
which  contains  exactly  the  legal  observation  sequences.  If  $  is  a  condition  on  the  times 
of  observations,  we  refer  to  it  as  a  timing  assumption.  We  have  encountered  the  following 
timing  assumptions: 
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Time  domain  The  timing  assumption  C  0'^  contains  the  observ'ation  sequences 

0'»er  the  time  domain  TIME. 

Monotonicity  We  say  that  an  obsen'ation  sequence  is  monx>tonic  iff  it  satisfies  the  monch 
tonicity  condition  on  time.  The  timing  assumption  C  0*^  contains  the  mono- 
tonic  obsen-ation  sequences. 

Progress  We  say  that  an  observation  sequence  is  divergent  iff  it  satisfies  the  progress  con¬ 
dition  on  time.  The  timing  asstmaption  OJ*,,  C  0^  contains  the  divergent  observation 
sequences. 

Real  time  The  timing  assumption  TSS^  =  O  contains  the  infinite  timed  state 
sequences. 

Analog  clock  The  timing  assumption  T5Sp  =  TSS^  fl  Op  contains  the  infimte  precisely 
timed  state  sequences. 

Digital  clock  The  timing  assumption  TSSjfJ  =  TSS**'  n  OjJ  contains  the  infinite  digitally 
timed  state  sequences. 

If  we  restrict  our  consideration  to  infinite  sequences  from  $,  we  obtain  the  following  notions 
of  safety  and  liveness  relative  to  the  property  #: 

•  n  C  §  is  a  safety  property  relative  to  §  C  0"  iff  for  all  <r  €  $,  whenever  every  finite 
prefix  of  <T  can  be  extended  to  a  sequence  in  11,  then  <r  6  H. 

•  n  C  $  is  a  liveness  property  relative  to  f  C  0**"  iff  every  finite  prefix  of  a  sequence  in 
$  can  be  extended  to  a  sequence  in  H. 

Thus  real-time  safety  and  liveness  are  safety  and  liveness  relative  to  the  timing  assumption 
TSS^j  and  conventional  un timed  safety  and  liveness  arc  safety  and  liveness  relative  to  TSSj . 
We  refer  to  safety  and  livencss  relative  to  0*^  as  ttncondtttonaf  safety  and  liveness;  it  is  not 
hard  to  see  that  a  property  11  is  unconditionally  safe  (live)  iff  the  untimed  property  11^  is 
safe  (live). 

Now  we  can  classify  the  timing  assximptions  given  above: 

Time  domain  is  an  unconditional  safety  property  for  every  time  domain  TIME- 
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Monotonicity  O^^^  is  an  tmconditional  safety  property. 

Progress  is  an  unconditional  livencss  property. 

Rea!  time  TSS^  is  neither  unconditionally  safe  nor  unconditionally  live.  It  is  safe  relative 
to  and  live  relative  to 

Analog  clock  T55p  is  neither  unconditionally  safe  nor  unconditionally  live;  it  is  safe 
relative  to  755". 

Digital  clock  755^  is  neither  unconditionally  safe  nor  unconditionally  live;  it  is  safe 
relative  to  755p. 

There  is  a  natural  topology  on  0",  the  Cantor  topology  on  infinite  strings,  in  which  the 
unconditional  safety  properties  are  exactly  the  closed  sets,  and  the  unconditional  liveness 
properties  are  exactly  the  dense  sets  [4].  It  follows  immediately  that  only  O"  itself  is 
both  an  unconditional  safety  and  an  unconditional  liveness  property.  The  Cantor  topology 
on  induces  a  topological  subspace  on  §  C  O",  which  is  called  the  relaiivization  of 
the  Cantor  topology  on  O"  to  #  [70]:  the  open  sets  of  the  relative  topology  are  taken 
to  be  the  intersections  of  $  with  the  open  sets  of  the  topology  on  0".  The  following 
lemma  shows  that  the  properties  that  are  safe  relative  to  $  are  exactly  the  closed  sets  of 
the  relative  topology,  and  the  properties  that  are  live  relative  to  4f  are  exactly  the  dense 
sets  of  the  relative  topology.  Note  that  since  unconditional  safety  properties  are  closed 
tmder  arbitrary  intersections,  we  can  define  the  closure  5  of  a  property  n  as  the  smallest 
unconditional  safety  property  containing  H. 

Lemma  1.3  (Relative  safety  and  liveness)  Let  II  C  $  C  0". 

(1)  n  t5  a  safety  property  relative  to  i  iff  ’Hni  CH. 
n  is  a  liveness  property  relative  to  i  iff  i  CH. 

Proof  of  Lemma  1.3  First  observe  that  an  infinite  sequence  p  €  D"  is  in  the  closure  of 
a  property  ECO"  (that  is,  p  €  H)  iff  every  finite  prefix  of  p  can  be  extended  to  an  infinite 
sequence  in  11.  Then  apply  this  observation  to  the  definitions  of  relative  safety  and  relative 
liveness.  ■ 
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It  follows  that  n  is  safe  relative  to  §  iff  11  =  II,  n  $  for  some  unconditioEaJ  safety 
property  11,.  In  particular,  if  the  property  11  =  H,  n  Dj  is  given  as  the  intersection  of  an 
unconditional  safety  property  II,  and  an  unconditional  liveness  prdperty  IIj,  then  11  is  safe 
relative  to  E/. 

It  is  convenient  to  extend  the  notions  of  safety  and  liveness  relative  to  a  property  i  to 
properties  that  are  not  necessarily  subsets  of  we  say  that  E  C  0"  is  a  safety  (liveness) 
property  relative  to  f  C  0"  iff  E  n  $  is  safe  (live)  relative  to  §.  Clearly,  unconditional 
safety  properties  are,  in  this  sense,  safe  relative  to  any  property  i.  More  generally: 

Proposition  1.7  (Downward  preservation  of  safety)  Suppose  that  C  #2  C  0".  If 
E  C  0"  is  a  safety  property  relative  to  #21  then  it  is  also  a  safety  property  relative  to  $j. 

Proof  of  Proposition  1.7  Let  §1  C  §2-  First  observe  that  the  closure  operator  is 
monotonic;  that  is,  E  C  $  implies  B  C  ?  for  all  E,  $  C  0".  In  particular,  we  have  that 

En$i  CBn#2. 

By  part  (1)  of  Lemma  1.3,  we  may  assume  that 

(E n #2) n $2  c  Enf2 

and  need  to  show  that,  then, 


(Bn$i)n$i  c  En§i. 


The  derivation  is  simple.  H 

This  proposition  shows  that  every  unconditional  safety  property  remains  safe  relative 
to  any  timing  assumption.  The  converse  of  Proposition  1.7  holds  only  in  a  very  restricted 
case: 

Proposition  1.8  (Upward  preservation  of  safety)  Suppose  that  E  C  §1  C  §2  S  O". 
7/  E  ts  a  safety  property  relative  to  §1  and  is  a  safety  property  relative  to  it,  then  E 
is  a  safety  property  relative  to  $2- 

Proof  of  Proposition  1.8  Again,  use  part  (1)  of  Lemma  1.3  and  the  monotonidty  of  the 
closure  operator.  ■ 
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In  general,  properties  become  “safer”  if  they  are  viewed  relative  to  stronger  (i.e.,  more 
restrictive)  properties;  a  property  that  is  not  an  unconditional  safety  property  may  be  safe 
relative  to  another  property.  We  have  already  given  an  interesting  example  of  such  a  prop¬ 
erty  that  is  shifted  “towards  safety”;  the  bounded- response  property  is  unconditionally 
live,  but  safe  relative  to  TSS^.  Note  that  relative  to  the  weaiei  timing  assumption 
the  bounded-response  property  Ilf  is  neither  live  nor  safe;  it  is  not  safe  relative  to 
because  it  contains  all  monotonic  observation  sequences  of  the  form 

(a,0)  —  (a,0)  —  (6,0)  — 

without  containing  the  monotonic  sequence 

(a,0)  — >  (o,0)  — ►  (a,0)  — ► 

Our  timing  assumption  TSS^  causes  properties  to  shift  towards  safety,  because  it  includes 
the  liveness  condition  OX,-  The  class  of  properties  that  are  safe  relative  to  TSS^  includes 
many  other  important  real*time  properties  that  are  unconditional  liveness  properties;  that 
is,  all  the  livcncss  they  stipulate  is  subsumed  by  the  progress  of  time.  We  will  use  this 
fact  extensively  in  the  following  way.  Suppose  that  II  is  an  imconditional  liveness  property 
and  safe  relative  to  T55".  Since  any  description  of  the  unconditional  liveness  property  11 
defines,  under  our  assTimptions  of  monotonidty  and  progress  of  time,  the  real-time  safety 
property  11 H  TSS^^  we  can 

1.  Specify  n  by  methods  for  specifying  liveness  properties:  liveness-type  specifications 
of,  say,  boimded  response  are  often  more  intuitive  than  safety-type  specifications. 

2.  Verify  n  by  methods  for  verifying  safety  properties:  safety-type  arguments  are  often 
simpler  than  liveness-type  arguments. 


Operationality 

Recah  that  the  analog  semantics  11^(5)  of  any  reactive  system  5  is  required  to  be  trans¬ 
parent  —  that  is,  Rc&(np(5))  is  the  set  of  possible  behaviors  of  S  —  and  closed  under 
stuttering.  Since  the  system  5  is  essentiaDy  a  machine  that  may,  at  any  point  in  time,  ei¬ 
ther  change  its  state  or  wait  and  do  nothing,  the  presentation  of  its  semantics  IIp(5)  ought 
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to  give  s  reape  for  the  incremental  generation  of  all  possible  execution  sequences  of  5  — 
the  stuttering  dosxire  of  Beh(IlR(S)): 

r(BcA(nR(S)))  =  i?cf(nR(5)). 

In  other  words,  we  wsmt  to  be  able  to  interpret  the  description  of  the  reactive  system  S 
operationally.  For  this  purpose,  we  have  to  isolate  the  safety  and  livenees  components  of 
i)et(nR(5)).  For  suppose  that  i?el(nR(5))  is  defined  as  the  intersection  of  an  unconditional 
safety  property  !!•  and  an  unconditional  liveness  property  IIj: 

Det(nR(S))  =  n.nn,ni?et(rss]^). 

Then  we  may  be  able  to  view  the  system  5  as  a  machine  that  generates,  step  by  step, 
safe  execution  sequences  in  EL,  H  i?et(rSSR)  and  “eventually”  satisfies  the  liveness  require¬ 
ment  H.  However,  not  every  pair  (II(,Ib)  allows  this  interpretation.  The  problem  is  that 
the  safety  part  may  permit  the  generation  of  deterministic  finite  timed  state  sequences  from 
which  either  the  liveness  requirement  cannot  be  satisfied  or  time  cannot  advance. 

We  formalize  the  notion  of  operationality  for  arbitrary  timing  assumptions  i.  A  pair 
(II„ni)  is  said  to  define  the  ^-property  11  C  $  congntnuly  relative  to  §  C  <?"  iff 

(1)  n  =  n,  n  Hi  n  §, 

(2)  n,  is  safe  relative  to  i  and  H  is  live  relative  to  f ,  and 

(3)  every  finite  prefix  of  a  sequence  in  H*  n  $  can  be  extended  to  an  infimte 
sequence  in  n. 

Condition  (3)  ensures  that  the  safety  part  of  a  congruous  definition  is  conqilete:  the  liveness 
part  does  not  preclude  any  safe  prefixes.  The  definition  of  a  property  is  called  uncondi- 
tionally  congruous  iff  it  is  congruous  relative  to  it  is  (reuZ-tswe)  congruous  iff  it  is 
congruous  relative  to  Det{  TSS").  Congruity  generalizes  an  untimed  concept  that  has  been 
named  repeatedly:  a  pair  (n«,IIi)  is  congruous  in  the  untimed  model  iff  the  pair  (117,  Hf) 
is  Tnachine  closed  according  to  Abadi  and  Lamport  [1];  feasible  according  to  Apt,  Frances, 
and  Katz  [13];  or  Ilf  is  live  with  respect  to  Ilf  according  to  Dederichs  and  Weber  [32]. 

Congruous  of  deterministic  properties  df  scribe  reactive  systems,  because  they 

can  be  executed:  if  (n«,II()  is  congruous  relative  to  Det{i),  then  a  machine  that  incremen¬ 
tally  generates  safe  execution  sequences  in  II,  H  Det{i)  wiU  never  reach  an  irremediable 
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situation  from  which  the  liveness  conditions  in  11/  n  Z)et(^)  cannot  be  satisfied.  This  is 
because  the  defined  property  11  =  H,  H 11/  H  Det{§)  is  live  relative  to  H,  fl  J3et($).  On  the 
other  hand,  a  machine  trying  to  execute  an  incongruous  definition  without  look-ahead  may 
“paint  itself  into  a  comer”  from  which  no  legal  continuation  is  possible.  In  particular,  the 
real-time  congruity  of  a  system  description  ensures  that  the  system  cannot  prevent  time 
from  advancing. 

Thus  we  say  that  the  formal  semantics  11(5)  of  a  reactive  system  5  is  given  operationally 
iff  its  deterministic  part  Z)ct(n(5))  C  Det{TSS^)  is  defined  congruously  by  a  pair 
(n,,II/)  that  defines  the  deterministic  real-time  property 

Det{ll{S))  =  Il.nllir\Dei{TSS^) 

congruously.  Wc  require  that  the  analog  semantics  of  every  reactive  system  is  given  op¬ 
erationally.  This  demand  does  not  restrict  the  real-time  properties  under  consideration: 
we  will  prove  that  for  every  assumption  §  C  O**',  every  property  H  C  §  can  be  defined 
congruously  relative  to  $.  Alpem  and  Schneider  showed  that  every  untimed  property  is 
the  intersection  of  an  untimed  safety  property  and  an  untimed  liveness  property  [5].  It  is 
well-known  that  they  have  given  a  construction  that  actually  proves  the  stronger  result  that 
every  untimed  property  has  a  congruous  definition.  We  generalize  this  main  result  about 
the  untimed  safety-liveness  classification  to  safety,  liveness,  and  congruity  relative  to  any 
timing  assumption. 

Theorem  1.1  (Existence  of  congruoiis  definitions)  For  all  i  C  0^,  every  property 
n  C  $  has  a  definition  that  is  congruous  relative  to  $. 

Proof  of  Theorem  1.1  Let  n«  =:  n  and  H  =s  ~‘((n,  n  $)  — 11);  then  II,  is  imconditionally 
safe.  Alternatively,  let  H,  =  II 0  $  and  11/  =  -i(n,  -  H);  then  n,  C  §.  We  show  that 
(n„II/)  defines  11  congruously  relative  to  $  in  either  case;  in  fact,  11/  is  unconditionally 
live. 

It  is  not  hard  to  see  that  11  =  11,  H 11/  H  §  and  that  11,  fl  §  C  H  —  that  is,  every  finite 
prefix  of  a  sequence  in  H,  fl  $  can  be  extended  to  a  sequence  in  11.  Proposition  1.7  implies 
that  n,  ^  S,  and  thus  also  11,  =  Cn  $,  is  safe  relative  to  i.  It  remains  to  be  shown  that  II/ 
is  live  relative  to  $  or,  by  part  (2)  of  Lemma  1.3,  that 


*  c  -.((n  n  $)  -  n)  n  #. 
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Since  11  C  this  condition  is  equivalent  to 

$  C  n  U  (f  -  fi). 

We  can  derive  both  contaiaments 

nn§  c  n u 
-nnn$  c  nu($ -  n), 

using  the  monotonicity  of  the  closure  operator.  D 

To  complete  cur  discussion  of  the  semantics  of  reactive  systems,  we  show  that  if  the 
description  of  a  system  S  gives  its  analog  semantics  np5(5)  =  11,  Oil/  H  TSS^  operationally, 
then  it  gives  its  digital  semantics  n|^(5)  =  (nR(S))fg  operationally  as  well.  It  follows  from 
the  foDowing  proposition  that  for  digitirable  systems  5,  the  pair  (11,,  II/)  is  a  coxigruous 
definition  of  the  set 

2)e<(IlN(5))  =  Z)rt(IlR(5))N 
of  digitally  timed  execution  sequences  of  S. 

Proposition  1.9  (Digitizable  operatic nality)  Let  11,,  11/  C  0*^  such  that  (11,,  11/)  is  u 
congruous  definition  of  the  analog  property  II  =  11,  fl  11/  0  TSS'^-  ^  11  is  digitizable,  then 
(n„II/)  defines  the  digital  property  Uf^  congruously. 

Proof  of  Proposition  1.9  By  Proposition  1.6,  it  suffices  to  show  that  every  finite  prefix 
of  a  digitally  timed  state  sequence  in  H,  can  be  extended  to  an  infinite  digitally  timed  state 
sequence  in  11,  nil/.  Consider  the  finite  prefix  p'  6  TSSf^  of  p  6  11,.  Since  (II,,  11/)  defines  11 
congruously,  there  is  an  infinite  precisely  timed  extension  p*  of  p*  with  p'  6  H.  Since  n  is 
closed  under  digitization,  also  [p^,  €  n  for  any  0  <  €  <  1.  Note  that  [p^,  is  an  infinite 
digitally  timed  extension  of  p*  in  11,  0 II/.  ■ 


1.3  Real-time  Systems,  Specifications,  and  Verification 

Let  5  be  a  reactive  system  whose  set  of  possible  real-time  behaviors  is  |[5|  and  let  ^  be 
a  spedheation  that  is  satisfied  by  the  real-time  behaviors  in  |^].  Verification  of  S  with 
respect  to  amounts  to  checking  the  containment 

151  C  1^1 
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of  sets  of  real-time  behaviors.  Systems  will  be  given  as  expressions  of  an  implementation 
language;  specifications  as  expressions  of  a  specification  language.  Now,  at  the  end  of  this 
foundational  chapter,  we  can  summarize  our  demands  on  the  implementation  language  and 
the  specification  language,  and  justify  both  the  analog-clock  model  and  the  digital-clock 
model  for  proving  containment  of  sets  of  real-time  behaviors.  Then,  in  the  remainder  of 
this  thesis,  we  will  introduce  concrete  languages  that  meet  our  constraints  and  concrete 
techniques  that  solve  instances  of  the  verification  problem. 


1.3.1  Implementation  languages 


We  have  put  very  stringent  demands  on  the  implementation  language.  Let  $  be  the  set  of 
real-time  behaviors  of  a  digitizable  system  S;  then  $x  ~  of  untimed  behav¬ 

iors  of  5.  Since  we  require  system  descriptions  to  be  transparent,  refinable,  independent  of 
the  clock  model,  and  executable,  we  have  agreed  that  an  expression  of  the  implementation 
language  that  describes  the  system  S  ought  to  define,  in  the  analog-clock  model,  the  analog 
property 

nR(5)  =  r^(«) 

operationally;  in  the  digital-clock  model,  it  onght  to  deiine  the  digital  property 

UtiiS)  =  (nR(5))N; 


in  the  untimed  model,  the  untimed  property 


ni(S)  =  r(ii($-))  =  r,($-)  = 


The  following  diagram  gives  the  complete  semantical  picture  for  a  digitizable  system  5 
whose  possible  real-time  behaviors  are 


nN(5) 


n-* 


[]=()n 


nR(5) 


Bth 


Tm,T 


[r-tl  -) 

Btk 


UiiS) 


Similar  conditions  can  be  required  of  the  specification  language.  Indeed,  this  approach  of 
using  high-level  system  descriptions  as  specifications  lends  itself  tc  many  useful  verification 
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teclmiques  such  as  stepwise  refinemeiit  [77,  Si]-  verification  methods  that  are  based  on 
refinement  mappings  show  that  one  system  Si  —  tL^^  implementation  —  implements  another 
system  S2  —  the  specification.  These  methods  can  be  used  for  the  hierarchical  verification 
of  a  chain  of  system  descriptions 

ISil  C  IS2}  C  c  iSnL, 

in  which  every  implementation  contains  more  detail  than  its  specification.  We  shall,  how« 
ever,  study  an  alternative  —  or  rather,  complementary  —  approach  that  considers  specifica¬ 
tions  to  be  logical  propositions  instead  of  system  descriptions:  we  require  that  specifications 
can  be  combined  by  boolean  operators  rather  than  that  they  are  refinable  and  executable. 
You  may  thinh  of  the  logical  approach  as  addressing  the  final  link 

|5nl  C  m 

in  a  verification  chain,  where  the  top-level  specification  (p  is  given  as  a  logical  formula. 
1.3,2  Specification  logics 

While  only  certain  real-time  properties  pass  as  a  suitable  semantics  of  a  reactive  system, 
we  allow  any  real-time  property  as  the  semantics  of  a  specification.  In  particular,  we  do 
not  require  that  the  analog  properties  that  are  defined  by  specifications  are  weakly  dosed 
under  stuttering,  digitizable,  or  given  operationally.  The  only  requirements  that  we  put  on 
the  interpretation  of  specification  languages  are  the  following: 

Transparency  Every  expression  ^  of  the  specification  language  defines  an  analog  prop¬ 
erty  np(^)  —  the  analog  semantics  of  The  real-time  behaviors  that  satisfy  the 
specification  ^  are  exactly  the  real-time  behaviors  in  np(^): 

=  5eh(nR(^)). 

Logicality  If  ^  and  ^  are  expressions  of  the  specification  language,  then  so  are  ^  A  ^3, 
^  V  ^3,  and  Moreover,  any  boolean  combination  of  expressions  defines  the 

corresponding  boolean  combination  of  properties: 


nR(^A^)  =  nR(^)nnR(^), 
nR(^v^)  ss  iir(^)  u  nR(^), 
HrC-.^)  =  rs5|-nR(^). 
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Clock  independence  The  specification  defines  a  set  of  infinite  timed  state  sequences 
uniformly,  independent  of  the  clock  model; 

TIM  =  mm 

for  the  digital  semantics  n|^(^)  of 

Note  that  the  logicality  of  the  analog  semantics  together  with  the  condition  of  clock  inde- 
pendence  ensures  that  the  digital  semantics  of  boolean  combinations  behaves  “logically”  as 
well: 


nN(^v^)  =  uii^j(^), 

We  emphasize  that  our  interpretation  of  specifications  differs  from  our  interpretation 
of  system  descriptions:  while  a  precisely  timed  state  sequence  that  results  from  observing 
the  behavior  of  a  system  stands  for  the  set  of  real-time  behaviors  that  are  consistent  with 
the  observation  sequence,  a  timed  state  sequence  that  is  admitted  by  a  specification  stands 
only  for  itself;  while  the  analog  semantics  11  C  TS5p  of  a  system  represents  the  set  |n|  of 
real-time  behaviors,  the  analog  semantics  11  of  a  specification  represents  the  set  Seh(n)  of 
real-time  behaviors.  For  example,  a  specification  that  admits  only  nondeterministic  timed 
state  sequences  cannot  be  satisfied  by  any  system.  Our  choice  to  model  real-time  behavior 
by  timed  state  sequences  forces  us  to  make  such  a  grave  distinction  in  the  interpretation 
of  system  descriptions,  which  ought  to  be  refinable,  and  specifications,  which  ought  to  be 
logical: 

1.  Beh{ll)  is  an  unsuitable  denotation  of  refinable  properties,  because  it  is  generally 
different  from  Beh(r(n)). 

2.  |[n]  is  an  unsuitable  denotation  of  complementable  properties,  because  it  is  generally 
not  disjoint  from  {TSS^  -  HJ. 

We  remark  that  a  restriction  to  deterministic  timed  state  sequences  (i.e.,  state  interval 
sequences)  offers  a  clean  solution  to  this  dilemma  at  the  expense  of  having  more  complicated 
basic  semantical  objects. 


1.3.  REAL-miE  SYSTEMS,  SPECIFICATIONS,  AND  VERIFICATION 


4S> 


1.3.3  Analog  ve^^us  digital  verification 

Given  a  reactive  system  5  and  a  specification  <p,  we  discuss  two  approaches  to  the  verification 
problem: 

Analog  verifi  ntion  The  analog  approach  checks,  in  the  analog-clock  model,  ilf 

2?et(nR(5))  C  nR(^). 


Digital  verification  The  digital  approach  checks,  in  the  digital-clock  model,  iff 

i)et(nN(5))  c  hm- 


The  analog  approach  of  checkir  containment  of  analog  properties  can  be  extremely  difficult; 
we  will  show  the  analog  verification  problem  to  be  undecidable  for  many  implementation  and 
specification  languages.  This  is  why  we  have  introduced  the  digital-clock  model,  which  has 
often  a  simpler  verification  problem.  Even  though  recently  there  have  been  some  surprising 
successes  in  analog  verification  [9],  we  shall  concentrate  in  this  thesis  on  methods  for  digital 
verification. 

Note  that  neither  of  the  two  approaches  directly  solves  the  original  verification  problem, 
which  poses  a  question  about  real-time  behaviors, 

151  C  M, 

not  about  analog  or  digital  properties.  So  what,  if  anything,  is  achieved  if  either  the  analog 
or  the  digital  verification  problem  is  solved?  For  a  verification  method  to  be  meaningful, 
obviously  its  result  ought  to  give  at  least  some  insight  about  the  original  verification  prob¬ 
lem.  For  a  particular  system  5  and  specification  4>,  we  say  that  an  application  of  analog 
(digital)  verification  is  sound  iff 

D«t(n(5))  C  n(^)  implies  151  C  |^]; 


it  is  complete  iff 

I5I  C  14>}  imphes  Dct(II(5))  C  n(^). 

Soundness  ensures  that  verification  does  not  claim  that  an  incorrect  system  is  correct,  al¬ 
though  it  may  discard  a  correct  system  as  incorrect;  soundness  and  completeness  together 
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guarantee  that  verification  gives  the  right  answer.  Since  we  require  the  analog  semantics 
of  both  system  descriptions  and  specifications  to  be  transparent,  analog  verification  is  al¬ 
ways  sound.  Digital  verification,  on  the  other  hand,  is  sound  only  for  checking  certain 
specifications: 

Proposition  (Soundness  of  digital  verification)  Digital  verification  is  sound  for 
all  {systems  S  and)  specifications  <(>  with  an  analog  semantics  np(^)  that  is  inversely  closed 
under  digitization. 

Proof  of  Proposition  1.10  .A  ssume  that  nR(^)  is  inversely  closed  under  digitization 
and  that  2?ct(nfg(5))  C  Ilf^{4>);  we  show  that  Beh{I[^{S))  C  Peh(nR(^)).  Consider  an 
arbitrary  real-time  behavior  p  €  11^(5),  Then  p  £  Det{TL^{S))i  which  implies  that 

[p]  C  Det{Tlfi{S))u  =  Z)et(nN(5))  C  UM  C  nR(<6). 

Since  nR(^)  is  inversely  closed  under  digitization,  p  €  jBcfc(nR(^)).  B 

We  will  show  that  the  criterion  for  soundness  of  digital  verification  is  indeed  satisfied 
by  our  specifications  of  the  most  important  real-time  properties.  In  addition,  it  is  trivially 
satisfied  by  all  specifications  of  time-invsuriant  properties,  which  arc  obviously  digitizable. 
We  also  point  out  that  we  may  geiin  some  information  about  a  system  even  from  the  pos¬ 
itive  result  of  an  xmsoxmd  application  of  digital  verification.  In  that  case  we  have  proved 
something  about  all  digitizations  of  system  behaviors,  rather  than  the  system  behaviors 
themselves.  For  examples,  if  we  are  able  to  show  that  a  system  is  in  state  a  whenever 
the  digital  clock  shows  1,  then  we  know  that  the  system  is  in  state  a  throughout  the  time 
interval  (0,2).  Thiis,  to  make  sure  that  a  system  satisfies  its  specification,  we  may  try  to 
prove  a  modified  assertion  by  digital  verification. 

Both  analog  and  digital  verification  turn  out  to  be  complete  for  the  same  restricted  set 
of  verification  problems: 

Proposition  1.11  (Completeness  of  verification)  Analog  verification  is  complete  for 
all  {systems  S  and)  specifications  ^  with  T{Beh{IL^{<fi)))  C  11^(0).  Digital  verification  is 
complete  under  the  same  condition. 


Proof  of  Proposition  1.11  Let  us  assume  that  both  r(BeA(nR(0)))  C  nR(^)  and 
Beh{Iln{S))  C  Befi(nR(^)). 
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(1)  To  see  that  analog  verification  is  complete,  observe  that  i 

Det{Tlf^{S))  =  r(^eA(nR(5)))  C  T{Behmf^{4>)))  C  nR((6).  | 

(2)  To  see  that  digital  verification  is  complete,  use  part  (1)  and  the  definitions  of  nfi](5) 

and  nfj(<^).  B  | 
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Chapter  2 

Real-time  Systems 

We  identify  the  possible  real-time  behaviors  of  a  reactive  system  in  two  steps.  First,  we  in¬ 
troduce  the  abstract  notion  of  a  timed  transition  system  and  define  its  execution  sequences 
over  time.  Then,  we  consider  concrete  real-time  systems  and  show  how  the  concrete  con¬ 
structs  can  be  interpreted  within  the  abstract  model.  We  demonstrate  that  otir  framework 
can  model  a  wide  variety  of  phenomena  that  routinely  occur  in  conjunction  with  cononrent 
real-time  processes.  Our  treatment  covers  both  processes  that  axe  executed  in  parallel  on 
separate  processors,  and  processes  that  time-share  a  limited  number  of  processors  under 
a  given  schedtiling  pohey.  Often  it  is  this  scheduling  policy  that  determines  if  a  system 
meets  its  real-time  requirements.  Thus  we  explicitly  address  such  questions  as  time-outs, 
interrupts,  static  and  dynamic  priorities. 

2.1  Abstract  Model:  Timed  Traii:>ition  Systems 

As  conceptual  model  of  reactive  systems  we  use  discrete  transition  systems  [69, 106],  which 
we  generalise  by  imposing  timing  constraints  on  the  transitioiu.  Qualitative  fairness  re¬ 
quirements  for  transitions  are  replaced  (and  superseded)  by  quantitative  lower-bound  and 
uppcr-bo\md  real-time  requirements. 

A  transition  system  S  =  (2,0,7')  consists  of  three  components: 

1.  a  (possibly  infinite)  set  2  of  states. 

2.  a  subset  0  C  2  of  initial  states. 
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3.  s  finite  set  T  of  transiiioTis,  including  the  idle  transition  r/.  Every  transition  r  £  T 
is  a  binary  relation  on  E;  that  is,  it  defines  for  every  state  ^  €  E  a  (possibly  empty) 
set  of  r-successors  r(er)  C  E.  Wc  say  that  the  transition  r  is  enabled  on  a  state  <r  iJ 
r(cr)  7^^  C.  In  particular,  the  idle  (stutter)  transition 

r/  =r  {(cr,ir)  |  €  E} 

is  enabled  on  every  state. 

An  infinite  sequence  <r  of  states  is  a  computation  (execution  sequence,  run)  of  the  transition 
system  S  =  (E,0,T)  iff  it  satisfies  the  following  two  requirements: 

Imtiality  €  0. 

Consecution  For  ail  t  >  0  there  is  a  transition  r  £  T  such  that  cr»>|  €  r(^i)  (which  is 
also  denoted  by  <r,  We  say  that  r  is  toien  at  position  t  and  completed  at 

position  i+  1.  The  case  of  the  idle  transition  rj  being  taken  is  called  a  stuttering  step. 

Let  n(5)  be  the  set  of  all  computations  of  5. 

We  incorporate  time  into  the  transition  system  model  by  assuming  that  all  transitions 
happen  “instantaneously,”  while  real-time  constraints  restrict  the  times  at  which  transitions 
occur.  The  timing  constraints  are  classified  into  two  categories:  lower^bound  and  upper- 
bound  requirements.  They  ensure  that  transitions  occur  neither  too  early  nor  too  late, 
respectively.  All  of  our  time  bounds  are  nonnegative  integers.  The  absence  of  a  lower- bound 
requirement  is  modeled  by  a  lower  bound  of  0;  the  absence  of  an  upper-bound  requirement 
by  an  upper  bound  of  oo.  For  notational  convenience,  we  assume  that  oo>nforalln€N. 

A  timed  transition  system  S  =  (E,  0,  T,/,  u)  consists  of  an  underlying  transition  system 
5~  =  (E,  ©,  T)  as  well  as 

4.  a  minimal  delay  Ir  €  N  for  every  transition  r  £T-  Vft  require  that  /r/  =  0. 

5.  a  maximal  delay  Ur  €  N  U  {oo}  for  every  transition  r  €  T.  We  require  that  Ur  >  It 
for  all  T  €  T,  and  that  Ur  =  oo  if  r  is  enabled  on  any  initial  state  in  6.  In  particular, 
ttr^  =  oc. 

An  infinite  timed  state  sequence  p  =  (<r,T)  is  a  computation  of  the  timed  transition  system 
S  =  (E,©,T,/,tt)  iff  the  state  sequence  <r  is  a  computation  of  the  underlying  transition 
system  5* ,  and 
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Lower  bound  For  every  transition  r  C  T  and  all  positions  t  >  0  and  j  >  i  such  that 

T;  <  +  /r, 

if  r  is  taken  at  position  jf, 
then  r  is  enabled  on  (Ti, 

In  other  words,  once  enabled,  r  is  dcla3red  for  at  least  It  time  units;  it  can  be  taken 
only  after  being  continuously  enabled  for  tr  time  units. 

Upper  bound  For  every  transition  r  €  T  and  position  i  >  0  such  that  r  is  enabled  on  Ci, 
there  is  some  position  j  >  i  with  T,*  <  T»^i  -f  Ur  such  that 

either  r  is  completed  at  position  j, 
or  T  is  not  enabled  on  CTj. 

In  other  words,  once  enabled,  r  is  delayed  for  at  most  Ur  time  units;  it  cannot  be 
continuously  enabled  for  more  than  Ur  time  units  without  being  completed. 

Let  n(5)  be  the  set  of  all  computations  of  5.  In  the  analog-clock  model,  the  system  5 
defines  the  analog  property  Ilpf  S);  in  the  digital-clock  model,  S  defines  the  digital  property 
n|g(5)  =  {TJ^{S))f^;  in  the  untimed  model,  the  untimed  property  IIi(5).  Note  that  we 
consider  all  computations  of  5  to  be  infinite;  finite  (terminating  as  well  as  deadlocking) 
computations  are  represented  by  infinite  extensions  that  add  only  stuttering  steps.  In  fact, 
every  computation  of  5  must  contain  infinitely  many  stuttering  ^ teps. 

The  timing  constraints  of  a  timed  transition  system  5  ca,*.  be  viewed  as  filters  that 
prohibit  certain  execution  sequences  of  the  underlying  imtiined  transition  system  S*: 

n(S)“  c  n(5^). 

Special  cases  of  timing  constraints  are  a  minimal  delay  0  and  a  maximal  delay  oo  for  a 
transition  r.  While  the  former  does  not  rule  out  any  computations  of  S",  the  latter  adds 
to  5*  a  weak-faimess  (justice)  assumption  [88]:  r  caimot  be  continuously  enabled  without 
being  taken.  The  untimed  semantics  Hi (5)  of  S  results  from  adding  these  weak-faimess 
requirements  to  the  underlying  untimed  transition  system  5“ ,  thus  obtaining  the  weakly-fair 
transition  system  5^.  The  analog  and  digital  semantics  of  5  add  further  constraints. 

In  the  following  two  subsections  we  show  that  the  analog  semantics  11^(5)  of  any  timed 
transition  system  5  satisfies  our  requirements  of  being  maximally  closed  under  stuttering. 
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digitizable,  and,  under  certain  restrictions,  given  operationally.  These  attributes  assure 
that  timed  transition  systems  can  be  refined,  verified  by  digita]  methods,  and  executed, 
respectiveiy. 

2.1.1  Closure  properties 

We  show  that  the  analog  properties  that  arc  definable  by  our  abstract  machine  model  of 
timed  transition  systems  are 

1.  closed  under  shifting  the  origin  of  time, 

2.  maximally  closed  under  refinement  of  time,  and 

3.  both  closed  and  inversely  closed  under  digitization  of  time. 

Linear  transformation  of  time 

First  let  us  show  that  our  choice  to  restrict  both  maximal  and  minimal  delays  of  transitions 
to  natural  numbers,  rather  than  allowing  arbitrary  rational  numbers,  does  not  limit  the 
real-time  phenomena  that  can  be  modeled  by  timed  transition  systems.  The  unit  of  the 
clock  can  always  be  scaled  appropriately,  because  the  computations  of  a  timed  transition 
system  are,  in  the  following  sense,  invariant  under  linear  transformations  of  time.  Let  a  ^  0 
and  P  be  arbitrary  real  numbers.  Given  a  timed  transition  system  5  =  by 

q5  =  {E,©,T,o/,qu)  we  denote  the  timed  transition  system  (if  any)  that  results  from  5 
by  multiplying  all  minimal  and  (finite)  maximal  delays  with  a.  Similarly,  given  a  timed 
state  sequence  p  =  (^,T),  we  write  ap  +  =  (^,aT  -f  fi)  for  the  timed  state  sequence  (if 

any) 


(<to,qTo  +  /?)  — ►  +/3)  — ►  ((Tj.oTj  +  0)  —*  (jrj.aTs  +  0)  —*  •••. 

Note  that  neither  aS  nor  ap^  0  may  be  defined. 

Proposition  2.1  (Scaling  of  the  clock)  Suppose  that  both  aS  and  ap^¥  0  are  defined 
for  a  timed  transition  system  S,  an  infinite  timed  state  sequence  p,  and  real  numbers  a  ^  0 
and  0,  If  p  is  a  computation  of  S,  then  op  +  ^  is  a  computation  of  q5. 
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Proof  of  Proposition  2.1  The  proposition  follows  immediately  from  the  form  of  the 
lower-bound  and  upper-bound  requirements  on  computations*  8 

In  particular,  the  set  of  computations  of  a  timed  transition  system  is  closed  imder 
shifting  the  origin  of  time  (take  a  =  1).  In  other  words,  timed  transition  systems  cannot 
refer  to  absolute  time.  Thus  we  will  often  assume,  without  loss  of  generality,  that  the  time 
of  the  first  state  change  of  a  computation  is  0. 

Refinement  of  time 

We  show  that  the  care  we  have  taken  in  the  definition  of  lower-bound  and  upper-bound 
requirements  for  timed  transition  systems  has  succeeded  to  make  computations  robust  under 
stuttering:  given  a  timed  transition  system  S  and  a  computation  p  of  S,  the  addition  of 
finitely  many  stuttering  steps  to  p  yields  again  a  computation  of  5.  In  fact,  we  have  the 
foDowing  stronger  result. 

Proposition  2.2  (Msiximal  closure  under  stuttering)  The  set  of  computations  of  a 
timed  transition  system  is  maximally  closed  under  stuttering. 

Proof  of  Proposition  2.2  Let  5  be  a  timed  transition  system.  First  observe  that  the 
infinite  timed  state  sequence 

- -  Wi.Ti) 

is  a  computation  of  5  iff  the  sequence 

- -  (tri.Ti) —  ••• 

is  a  computation  of  5;  and  the  infinite  timed  state  sequence 

(tro.To)  ^  (<ro,Ti)  —  ••• 
is  a  computation  of  5  iff  the  sequence 

(^o,T:)— 

is  a  computation  of  S,  because  the  maximal  delay  of  every  transition  that  is  enabled  on  cq 
is  00.  Then  observe  that  the  infinite  timed  state  sequence 
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is  a  computation  of  5  iff  the  two  sequences 

- -  —  K,Ti+i)  (tr.^j.Ti+a)  —  •••, 

- -  K.Ti)  K+t,T0  K+i.Ti+a)  ... 

are  computations  of  5.  It  follows  that  the  set  of  computations  of  5  is  maximally  closed 
under  stuttering.  B 

This  proposition  confiims  that  the  lower^hound  and  upper-bound  requirements  on  com* 
putations  have  the  intended  meaning  tmder  our  interpretation  of  a  precisely  timed  state 
sequence  as  a  set  of  real-time  behaviors.  For  the  computations  of  a  timed  transition  system 
5  =  (i;,6,T,I,u)  can  be  alternatively  characterized  as  follows:  an  infinite  timed  state  se¬ 
quence  p  is  a  computation  of  5  iff  every  behavior  p'  =  that  is  specified  by  p  xmder 

stuttering  (that  is,  p'  £  |p|)  satisfies  the  initiality  and  consecution  requirements  as  well  as 

Deterministic  lower  bound  For  every  transition  r  6  T  and  all  positions  i  >  0  and  jf  >  t 
such  that  Tj<Ti^lry 

if  r  is  taken  at  position  j, 
then  r  is  enabled  on  O’,*. 

Deterministic  upper  bound  For  every  transition  r  G  T  and  position  f  >  0  such  that  r 
is  enabled  on  it*,  there  is  some  position  j  >  i  with  Tj  <  +  Ur  such  that 

cither  r  is  taken  at  position  j, 
or  T  is  not  enabled  on  aj. 

Maximal  closure  under  stuttering  allows  us  to  generalize  the  untimed  notion  of  refine¬ 
ment  mappings  between  transition  systems  [1].  Suppose  that  3%  and  5:  axe  two  timed 
transition  systems  with  the  sets  £2  and  £2  of  states,  respectively.  Let  / :  £2  £2  be  a 

mapping  between  states  that  is  typically  many-to-onc;  that  is,  /  hides  some  information 
about  the  states  of  52 .  We  say  that  /  is  a  refinement  mapping  from  Si  to  iff  the  image 
of  every  computation  of  S2  is  a  computation  of  S2: 

(er,T)€n(S2)  implies  (/(cr),T)  €  HCSj). 

The  system  Si  is  said  to  refine  {implement)  the  system  S2  iff  there  exists  a  refinement 
mapping  from  Si  to  S2.  Note  that  if  Si  refines  S2,  then  it  may  ‘‘refine’’  both  state  and  time 
information: 
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State  refinement  5i  may  contain  more  state  information  than  which  case  nonidle 

transitions  are  mapped  to  stuttering  steps.  This  is  analogous  to  untimed  refinement. 

Time  refinement  Si  may  contain  more  information  about  the  time  of  state  changes  than 
52,  in  which  case  any  mapping  /  between  computations  is  not  onto  (even  if  /  is  onto 
between  the  state  components  of  computations).  For  example,  the  timed  transition 
system  whose  computations  are  the  infinite  sequences  in  the  stuttering  closure  of  the 
timed  state  sequence 

(a,0)  — (6,5) 

is  refilled  by  the  timed  transition  system  whose  computations  are  contained  in  the 
stuttering  closure  of 

(a,  2)  —  (6,3) 

(take  the  identity  mapping  between  states),  but  not  vice  versa. 

Digitization  of  time 

The  following  proposition  ensures  that  the  analog  semantics  IIf^(5)  and  the  digital  semantics 
^n(^)  ^  timed  transition  system  S  denote  the  same  set  of  real-time  behaviors. 

Proposition  2.3  (Digitizability)  The  set  of  computations  of  a  timed  transition  system 
is  digitisable. 

Proof  of  Proposition  2.3  (1)  To  see  that  the  set  of  computations  of  a  timed  transition 
system  is  closed  under  digitization,  observe  that 

T,-  >  Ti  +  /  inqilies  [Tj],  >  [Ti]*  + 1 

and 

Tj  <  Tj  -i-  u  implies  [T j],  <  [Ti)«  -t-  u 

for  all  Ti,T,-  €  R,  €  N  U  {oo},  and  0  <  <  <  1.  These  observations  guarantee  that 
whenever  any  digitization  [p](  of  a  timed  state  sequence  p  violates  a  lower.bound  requirement 
for  the  positions  i  <  j,  then  so  does  p\  and  whenever  p  satisfies  an  upper-bound  requirement 
for  position  »  at  position  j  >  i,  then  so  does  every  digitization  [/)]*. 
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(2)  To  see  that  the  set  computations  of  a  timed  transition  system  is  inversely  closed 
under  digitization,  observe  that  there  is,  for  all  Ti,Tj  6  R  and  /,ti  €  N  U  {oo},  some 
0  <  c  <  1  such  that 

Tj  <  T,-  +  /  implies  [T,]«  <  [Ti]«  +  / 
and  some  0  <  e  <  1  such  that 

Tj>Ji  +  u  implies  [Tj]^  >  [T,-],  +  u. 

These  observations  guarantee  that  whenever  a  timed  state  sequence  p  violates  a  lower-bound 
requirement  for  the  positions  i  <  j,  then  so  does  some  digitization  [p]t  of  p;  and  whenever 
every  digitization  [p]^  satisfies  an  upper-bound  requirement  for  position  i  first  at  position 
j  >  t,  then  so  does  p.  ■ 

There  are  two  immediate  ramifications  of  this  result.  First,  every  timed  transition 
system  5  specifies  the  same  tmtimed  property  in  analog^clock  model  and  the  digital-clock 
model: 

nR(5)-  =  nN(5r  c  ni(5r  c  n(5-). 

Secondly,  recall  the  definition  of  lower-bound  and  upper-bound  requirements  for  timed  tran¬ 
sition  systems.  The  precise  meaning  of  the  timing  constraints  seems  to  depend  on  the  time 
domain.  Consider,  for  example,  the  upper-bound  requirement  that  a  continuously  enabled 
transition  r  must  be  completed  within  its  maximal  delay  of,  say,  Ur  =  5.  While  in  the 
analog-clock  model  this  requirement  ensures,  as  intended,  that  r  is  completed  within  5  time 
units,  in  the  digital-clock  model  the  same  condition  appears  to  guarantee  only  that  r  is  not 
continuously  enabled  for  more  than  5  clock  ticks,  allowing  the  actual  difierence  between  r 
becoming  enabled  and  r  being  ccmpleted  be  as  much  as,  say,  5.9  time  units.  Qosure  under 
digitization  implies  that  this  is  not  the  case  and  that  all  timing  constraints  preserve  their 
intended  meaning  in  the  digital-clock  model. 

2.1.2  Operationality 

Any  particular  execution  sequence  of  a  timed  transition  system  5  is  a  deterministic  compu¬ 
tation  of  5.  We  say  that  Det{IL{S))  is  the  set  of  runs  of  S.  The  run  fragments  of  a  timed 
transition  system  are  obtained  by  closing  the  set  of  runs  under  sufiSxes:  an  infinite  timed 
state  sequence  p'  is  a  run  fragment  of  S  iflT  p'  =  p*  for  some  run  p  of  S  and  i  >  0.  Note  that 
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run  fragments  are  infinite  deterministic  timed  state  sequences;  during  a  run  (fragment)  time 
^  can  advance  only  with  the  idle  transition.  In  the  untimed  model,  no  such  distinction  be¬ 

tween  computations  and  runs  is  necessary,  because  all  computations  are  deterministic.  Thus 
the  run  fragments  of  an  untimed  transition  system  5  are  all  sufSxes  of  the  computations 
of  5. 

We  like  our  abstract  machine  model  to  be  operational;  that  is,  the  description  of  a  timed 
transition  system  should  give  a  prescription  of  how  (all  of)  its  runs  can  be  generated  mono- 
tonically,  by  adding  a  state  at  a  time.  Untimed  transition  systems  specify  unconditional 
safety  properties  and  are,  therefore,  trivially  executable: 

Start  with  an  initial  state,  and  at  any  point  during  the  stepwise  construction  of 
a  computation  take,  nondeterministically,  any  of  the  enabled  transitions. 

At  every  step  during  the  incremental  generation  of  a  timed  run,  we  have  to  choose  either 
a  transition  that  is  taken  (without  incrementing  time)  or  an  amount  of  time  that  passes 
(while  the  idle  transition  is  taken).  A  timed  transition  system  S,  however,  contains  liveness 
requirements.  Thus  it  may  not  be  obvious  how  to  choose  successive  transitions  or  time 
increments  such  that 

1.  At  any  point  it  is  possible  to  extend  the  generated  finite  deterministic  timed  state 
sequence  to  arun  of  S;  that  is,  all  upper-bound  requirements  and  the  progress  condition 
on  time  can,  at  some  later  point,  be  satisfied. 

2.  Any  run  of  S  can  be  generated  in  this  fashion. 

Fortunately,  the  safety  and  liveness  components  of  5  can  be  easily  separated:  a  timed 
transition  system  without  infinite  maximal  delays  specifies  a  real-time  safety  property;  infi¬ 
nite  Tnarimal  delays  add  real-time  liveness  requirements.  If  this  decomposition  is  congruous 
^  relative  to  deterministic  timed  state  sequences,  it  suggests  a  simple  procedure  for  executing 

the  system  S: 

Start  with  an  initial  state,  and  at  any  point  during  the  stepwise  construction 
of  a  nm  either  take,  without  advancing  time,  any  of  the  transitions  that  have 
been  enabled  long  enough,  or  take  the  idle  transition  and  advance  time  without 
delaying  any  transition  for  more  than  its  maximal  delay.  During  this  procedure. 
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make  sure  that  all  liveaess  requirements  are  satisfied  “eventually”  and  time  is 
advanced  infinitely  often. 

We  give  a  sufficient  condition  on  timed  transition  systems  S  that  can  be  easily  checked 
and  ensures  that  the  decomposition  of  5  into  safety  and  liveness  components  is  real-time 
congruous. 


Safety-liveness  decomposition 

Lets  =  {E,0,T,/,u)  be  a  timed  transition  system.  A  finite  timed  state  sequence  p  =  (<t,T) 
is  said  to  be  a  partial  computation  of  S  iff  it  satisfies  the  initiedityy  consecution,  and  lowers 
bound  reqtiirements,  and 

Finite  upper  botmd  For  every  transition  r  e  T  and  position  0  <  t  <  \p\  such  that  r 
is  enabled  on  <t»,  either  -f  Ur  or  there  is  some  position  j  >  i  with 

-f  Ur  su  Ji  that 

either  r  is  completed  at  position 
or  r  is  not  enabled  on  Oj. 

A  deterministic  partial  computation  is  called  a  partial  run.  Let  n«(5}  be  the  real-time 
property  that  contains  an  infinite  timed  state  sequence  p  iff  all  finite  prefixes  of  p  are  partial 
computations  of  S.  We  write  %  C  T  and  C  T  loi  the  sets  of  transitions  of  5  with 
maximal  delay  0  and  oo,  respectively.  Let  Ili{S)  be  the  real-time  property  that  contains  an 
infinite  timed  state  sequence  p  iff 

Infixiite  upper  bound  For  every  traxisition  r  6  7^  there  are  infinitely  many  positions 
«  >  0  such  that 

either  r  is  completed  at  position  i, 
or  r  is  not  enabled  on  c*,*. 


Clearly, 


n(5)  -  n,(5)niL{5). 


It  is  also  not  hard  to  see  that  n«(5)  is  a  real-time  safety  property  and  11/(5)  is  a  real-time 
liveness  property. 
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Thus  it  is  eaisy  to  generate  all  partial  computations  of  S  incrementally,  by  maintaining 
local  consistency:  choose,  at  any  point,  a  state  transition  t  and  time  increment  6  such  that 

Consecution  r  is  enabled. 


Lower  bound  r  has  been  enabled  long  enough. 

Finite  upper  bound  All  other  enabled  transitions  can  be  delayed  for  another  6  time  units. 

Our  hope  is  that  any  sequence  of  such  locally  consistent  choices  is  globally  proper;  that 
is,  that  any  partial  computation  of  5  can  be  extended  to  a  computation  of  S.  In  other 
words,  we  want  to  show  that  the  pair  (11,(5),  11/(5))  defines  11(5)  congruously  relative  to 
our  timing  assumption  755*^.  Unfortunately  this  is  not  the  case.  In  fact,  there  are  two 
impediments: 

1.  When  trying  to  incrementally  generate  a  nondeterministic  computation,  a  locally 
consistent  time  increment  may  be  too  large.  Consider,  for  example,  the  situation  that 
a  transition  r  with  minimal  delay  5  and  maximal  delay  5  is  disabled  on  state  a  and 
^‘nabled  on  state  6.  Then  the  locally  consistent  time  increment 

- -  (a,  5)  — (6.7) 

may  lead  to  a  situation  from  which  time  cannot  advance  without  violating  either 
the  lower-bound  or  the  upper-bound  requirement  for  r.  Note  that  a  more  restrictive 
definition  of  local  consistency  is  not  appropriate  either,  because  if  r  becomes  disabled 
again,  then  the  time  increment  given  above  may  actually  occur  in  a  computation. 
Instead,  we  are  content  with  generating  all  runs  2?e<(n(5))  of  a  reactive  system  5, 
which  are  deterministic. 


2.  Even  when  generating  a  deterministic  computation  of  a  reactive  system  5,  maximal 
delays  0  may  impede  the  advancement  of  time.  We  adopt  a  simple  sufficient  criterion 
for  the  operationality  of  5  that  rules  out  systems  with  “too  many’’  maximal  delays  0: 
we  say  that  5  is  an  operational  timed  transition  system  (OTTS)  iff  there  is  no  sequence 
of  states  and  transitions 


Co 


T«-l 


such  that  n  >  ITol  and  r*  €  2o  for  all  0  <  i  <  n.  Intuitively,  the  maximal  delays  0 
of  an  OTTS  cannot  prevent  time  from  progressing.  Formally,  the  safety-liveness 
decomposition  (11,(5), 11/(5))  of  an  OTTS  5  is  an  operational  presentation  of  11(5): 


'\ 
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Proposition  2.4  (Operational  timed  transition  systems)  If  S  is  an  operational  it- 
med  transition  system  5,  then  the  set  I?€<(n(5))  of  runs  of  S  is  defined  congruously  by  the 
pair  {n.{S),ILi{S)). 

Proof  of  Proposition  2.4  Clearly, 

I?ct(n(5))  =  Il,{S)r\ILi{S)r\Det{TSS^). 

It  is  also  not  hard  to  see  that  nj(5)  is  safe  relative  to  Dei{  TSS**^)  and  11/^5)  is  live  relative 
to  Det{TSS^). 

Thus  it  remains  to  be  shown  that  every  partirJ  run  of  an  OTTS  5  can  be  extended  to 
a  run  of  S,  We  use  the  following  strategy  to  extend  partial  runs.  Let  T  be  the  transitions 
of  S  and  N  >  (|Ti  +  1)^  any  suiEciently  large  integer  constant.  We  alternate  two  phases: 

Phase  1  For  at  least  N  positions,  determine  the  maximal  locally  consistent  time  increment 
S  €  TIME,  If  ^  =  0,  take  any  transition  whose  (finite)  upper^bound  reqxdrement 
prevents  the  progress  of  time.  If  5  >  0,  take  the  idle  transition  and  advance  time  by  6, 
If  no  maximal  locally  consistent  time  increment  exists  (because  all  enabled  transitions 
can  be  delayed  an  arbitrar}*  amo\mt  of  time),  take  the  idle  transition  and  advance  time 
by  any  positive  (nonzero)  amount. 

Phase  2  Once  every  N  positions,  take  every  transition  with  a  maximal  delay  oo  if  it  has 
been  enabled  long  enough.  This  phase  satisfies  all  infinite-upper-bound  requirements. 

The  only  way  for  this  strategy  not  to  yield  a  run  of  S  is  that,  from  some  point  on,  time 
does  not  advance.  In  this  case,  there  has  to  be  a  phase-1  sequence  p  of  length  -{- 1  of  the 
form 

The  sequence  p  must  contain  a  subsequence  p'  of  length  |T|  +  1  such  that  every  transition 
in  p'  has  been  taken  at  least  once  before  in  p.  It  is  not  hard  to  see  that,  contrary  to  our 
assumption,  the  state  component  of  p'  violates  the  operationality  condition  on  5.  ■ 

It  follows  that  every  OTTS  can  be  "executed”  in  the  stepwise  fashion  that  has  been 
outlined  above,  by  incrementally  constructing  partial  nms  and  satisfying  the  liveness  re¬ 
quirements,  which  are  imposed  by  maximal  delays  oo  and  the  progress  of  time,  “eventually.” 
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Explicit-clock  transition  systems 

For  any  timed  transition  system  S  =  (Ej0,T, /, u),  it  will  be  useful  to  model  the  safety  "v 

part  11,(5)  of  5  by  an  tmtimed  transition  system  5'  that  is  given  access  to  time  as  part 
of  its  state  description.  The  safety  machine  5'  generates  the  set  of  infinite  state  sequences 
all  of  whose  finite  prefixes  correspond  to  partial  runs  of  5.  The  correspondence  between 
parti^d  runs  of  5,  which  are  timed  state  sequences,  and  finite  prefixes  of  computations  of  5',  | 

which  axe  state  sequences,  is  achieved  by  augmenting  the  states  of  the  untimed  transition 
system  S\  Every  state  of  S*  consists  of  a  state  of  5  as  well  as  values  for  the  following  new  | 

variables:  I 


•  A  clock  variable  t  that  ranges  over  the  time  domain  TIME;  it  records,  in  every  state 
(Ti  of  a  partial  run  p  =  of  5,  the  corresponding  time  T,*. 

•  A  delay  counter  dr  for  every  transition  r  e  T  that  ranges  over  all  time  values 
S  €  TIME  with  0  <  S  <  Ur]  it  records,  in  every  state  of  a  partial  run  of  S,  for 
how  many  time  units  the  transition  r  has  been  continuously  enabled  without  being 
taken.  Note  that  the  value  of  a  delay  cormter  is  well-defined  only  for  deterministic 
timed  state  sequences. 

The  expliciUclock  transition  system  S*  =  (E^,  ©*,T*)  associated  with  the  timed  transi¬ 
tion  5  is  defined  to  be  the  following  untimed  transition  system: 

1.  Every  state  (t  €  E*  of  S*  is  a  tuple  that  contains  a  state  6  E  of  5,  a  value 
{r(t)  €  TIME  for  the  dock  variable  t,  and  a  value  0  <  o’(dr)  <  Ur  for  each  delay 
counter  dr: 

S*  =  L  X  TIME  X  TIME^. 


2.  A  state  of  S*  is  initial  iif  it  extends  an  initial  state  of  5: 

<7  G  0*  iff  <r“  €  0. 


3.  Every  transition  of  S  is  extended:  T*  contains,  for  every  r  G  &  transition  r*  such 
that  (oijtrJ)  €  r'  iff  for  all  r'  €  T, 

€  T, 

^(dr)  ^ 


/ 
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if  t'  T  and  r'  is  enabled  on  (Tj, 
otherwise. 


The  second  clause,  ^i(dr)  >  Ir,  eitforces  all  lower-bound  reqviirements. 

In  addition,  T*  contains  the  idle  transition  r/  and  the  tick  transition  Tj  that  advances 
time:  {(r{,V2)  €  iff  there  is  a  positive  (nonzero)  time  increment  S  6  TIME  such 
that  for  all  t'  €  T, 


ffi  =  o-j, 

cr^(t)  =  <r*(t)  +  S, 

]  if  7^  T  and  r' is  enabled  on  0*2, 

I  0  otherwise, 

<  tlr'- 

The  last  danse  enforces  all  finite-upper-hound  requirements.  Note  that  the  idle  transi¬ 
tion  r/  would  be  subsumed  by  the  tick  transition  r}  if  the  time  increment  ^  =  0  were 
admitted  for  Tj.  Our  distinction  between  the  idle  transition  and  the  tick  transition 
allows  us  to  put  different  fairness  requirements  on  the  two  transitions. 

We  point  out  that  the  definition  of  5*  is  independent  of  the  dock  model;  that  is,  the  set 
IIfj(5*)  of  computations  of  S*  in  the  digital-clock  model  contains  exactly  the  computations 
in  the  analog  semantics  11^(5*)  of  S*  that  assign  only  integer  values  to  the  dock  variable 
and  all  delay  counters. 

It  is  not  hard  to  see  that  the  timed  transition  system  5  and  the  explidt-dock  transition 
system  5*  are  related  in  the  following  way: 

•  For  every  partial  run  (tr,T)  of  5,  there  is  a  finite  state  sequence  with  =  <r 
and  ^*(t)  =  T  such  that  a*  is  a  prefix  of  a  computation  of  5*  (let  all  delay  coimters 
record  the  times  that  the  corresponding  transitions  have  been  enabled). 

•  For  evexy  finite  prefix  <r  of  a  computation  of  S',  the  timed  state  sequence 
is  a  partial  run  of  5. 

In  other  words,  S‘  generates  the  state  sequences  that  correspond  to  safe  prefixes  of  runs 
of  5.  In  partictxlar: 


n(S)-  =  2?ct(n(S))“  c  n(5')-  c  n(S“). 
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Livexiess  reqiiircnients  can  be  easily  added  to  the  safety  machine  5'  as  follows: 

1.  A  wcak‘fairness  assumption  stipulates  that  a  transition  cannot  be  continuously  en¬ 
abled  without  being  taien  [88]*  Let  the  weakly^fatr  extension  of  S*  be  the  fair 
transition  system  that  is  obtained  from  S*  by  adding  a  wcak-faimess  assumption  for 
every  transition  r*  if  r  has  a  maximal  delay  oo. 

2.  A  stTvng‘fatrness  assumption  stipulates  that  a  transition  cannot  be  enabled  infinitely 
often  without  being  taken  [88].  Let  the  strongly*fair  extension  of  5'  be  the  fair 
transition  system  that  is  obtained  from  5^  by  adding  a  strong-fairness  assumption  for 
the  tick  transition  rj-.  It  is  not  hard  to  see  that  there  is  a  one-to-one  correspondence 
between  the  computations  of  5^  and  the  runs  of  5 : 

r  €  n(S0  iff  c  Det[Il{S)). 

In  particular,  11(5)'"  =  n(S^)'~. 

2.2  Concrete  Model:  Multiprocessing  Systems 

The  concrete  real-time  systems  we  consider  first  consist  of  a  fixed  number  of  sequential 
real-time  programs  that  are  executed  in  parallel,  on  separate  processors,  and  communi¬ 
cate  through  a  shared  memory'.  We  show  how  time-outs  and  real-time  response  can  be 
programmed  in  this  language.  Then  we  add  message  passing  primitives  for  process  syn¬ 
chronization  and  communication. 

2.2.1  Syntax:  Timed  transition  diagrams 

A  shared* variables  multiprocessing  system  P  has  the  form 

Each  process  Pi,  1  <  t  <  m,  is  a  sequential  ncndeterministic  real-time  program  over  the 
finite  set  Ui  of  pnvate  (local)  data  variables  and  the  finite  set  U§  of  shared  data  variables. 
The  formula  6,  called  the  data  precondition  of  P,  restricts  the  initial  values  of  the  variables 
in 

u  ^  U  Vi. 

l<t<m 
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The  real-time  programs  Pi  can  be  alternatively  presented  in  a  textual  prograraining 
language  or  as  transition  diagrams.  We  shall  use  the  latter,  graphical,  representation.  For 
this  purpose,  we  extend  the  untimed  transition  diagram  language  by  labeling  transitions 
with  minimal  and  maximal  time  delays.  A  timed  transition  diagram  for  the  process  F» 
is  a  finite  directed  graph  whose  vertices  Li  =  called  locations.  The  entry 

location  —  usually  —  is  indicated  as  follows: 

— K§) 


The  intended  meaning  of  the  entry  location  4  is  that  the  control  of  the  process  Pi  starts  at 
the  location  The  component  processes  of  a  system  arc  not  required  to  start  synchronously 
(i.e.,  at  the  same  time).  Each  edge  in  the  graph  is  labeled  by  a  guarded  instruction,  a 
minimal  delay  /  €  N  and  a  maximal  delay  u  6  N  U  {oo}  such  that  u>l: 


where  the  guard  c  is  a  boolean  expression,  £  is  a  vector  of  variables,  and  «  an  equally  typed 
vector  of  expressions  (the  guard  true  and  the  delay  interval  [0,oo]  arc  usually  suppressed; 
for  the  empty  vector  nil,  the  instruction  c  nil  :=  nil  is  abbreviated  to  c?).  We  require 
that  every  cycle  in  the  graph  consists  of  no  fewer  than  two  edges,  at  least  one  of  which  is 
labeled  by  a  positive  (nonzero)  maximal  delay. 

The  intended  operational  meaning  of  the  given  edge  is  as  follows.  The  minimal  delay  i 
guarantees  that  whenever  the  control  of  the  process  Pi  has  resided  at  the  location  for 
at  least  /  time  units  during  which  the  guard  c  has  been  continuously  true,  then  Pi  may 
proceed  to  the  location  The  maximal  delay  u  ensures  that  whenever  the  control  of  the 
process  Pi  has  resided  at  for  u  time  units  during  which  the  guard  c  has  been  continuously 
true,  then  Pi  must  proceed  to  In  doing  so,  the  control  of  Pi  moves  to  the  location  4 
“instantaneously,”  and  the  current  values  of  c  are  assigned  to  the  variables  x.  In  general,  a 
process  may  have  to  proceed  via  several  edges  all  of  whose  guards  have  been  continuously 
true  for  their  corresponding  maximal  delays.  In  this  case,  any  such  edge  is  chosen  nondeter- 
ministically.  It  follows  that  the  control  of  a  process  P»  may  remain  at  a  location  forever 
only  in  one  of  two  situations:  if  has  no  outgoing  edges,  we  say  that  Pi  has  terminated; 
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if  each  of  the  guards  that  are  associated  with  the  outgoing  edges  of  the  location  P,  is  false 
infinitely  often,  we  say  that  P,  has  deadlocked.  The  second  condition  is  necessary  (although 
not  sufficient)  for  stagnation,  because  if  one  guard  is  true  forever,  then  the  corresponding 
maximal  delay  u  <  oo  guarantees  the  progress  of  Pi. 

2.2.2  Semantics:  Timed  traiisition  systems 

The  operational  view  of  timed  transition  diagrams  can  be  captured  by  a  simple  transla¬ 
tion  into  the  abstract  model  of  timed  transition  systems.  'With  the  given  shared- variables 
multiprocessing  system 

P: 

we  associate  the  following  timed  transition  system  Sp  =  (E,0,T,/,u): 

1.  £  contains  all  interpretations  of  the  finite  set 

of  data  and  control  variables.  Each  control  variable  for  Xj,  where  1  <  *  ^  rn,  ranges 
over  the  set  U  {X}.  The  value  of  Xj  indicates  the  location  of  the  control  of  the 
process  Pa  it  is  1  (imdcfined)  before  the  process  Pi  starts. 

2.  ©  is  the  set  of  all  states  <r  g  £  such  that  0  is  true  in  <r  and  O’(xi)  =  X  for  all  1  <  i  <  m. 

3.  T  contains,  in  addition  to  the  idle  transition  rj,  an  entry  transition  tJ  for  every 
process  Pi,  1  <  i  <  m,  as  well  as  a  transition  rg  for  every  edge  £  in  the  timed 
transition  diagrams  for  Pi, ...  Pm-  In  particular,  o'  €  lo(^)  iff 

«r(xi)  =  X  and  <r'(xi)  =  4. 
ff'(y)  =  <r(y)  for  all  y  €  V’  -  {xi}. 

If  £  connects  the  source  location  to  the  target  location  tj,  and  is  labeled  by  the 
instruction  c  — *  i  :=  e,  then  o'  €  T£(<r)  iff 


ff(xi)  =  4  and  <r'(xi)  = 
e  is  true  in  o  and  o'{i)  =  ff(e), 
^(y)  =  r(y)  for  all  y  €  V  -  {x^,  z). 
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If  te  is  uniquely  determined  by  its  sotirce  and  target  locations,  we  often  write 

4.  If  T  is  an  entry  transition,  then  4  =  0.  For  every  edge  E  labeled  by  the  minimal 
delay  I,  let  =  1. 

5.  If  r  is  an  entry  transition,  then  Ur  =  oo.  For  every  edge  E  labeled  by  the  inarimal 
delay  u,  let  ttr,  =  u. 

This  translation  defines  the  sets  of  possible  computations  and  runs  of  the  concrete  real* 
time  system  P  as  the  sets  n(5/>)  and  Dei{Il{Sp))  of  (deterministic)  timed  state  sequences. 
The  condition  on  timed  transition  diagrams  that  every  cycle  contains  at  least  one  positive 
(nonzero)  maximal  delay  ensures  that  the  timed  transition  system  Sp  is  operational. 

For  instance,  the  computations  of  the  trivial  system  P  that  consists  of  a  single  process 
with  the  timed  transition  diagram 

P: 

are  exactly  the  infinite  timed  state  sequences  in  the  stuttering  closure  of 

(1,0) (4,0)  —  (fi,l) 

(assuznir^g  that  the  time  of  the  initial  state  change  h  0).  Note  that  had  we  chosen  to 
restrict  the  semantics  of  timed  transition  systems  to  deterministic  timed  state  sequences, 
the  description  of  n(5p)  would  be  substantially  more  complex  —  namely,  in  the  analog- 
clock  model,  the  stuttering  closure  of  an  iniinite  set. 

Finally,  we  remark  that  our  semantics  of  shared-variables  multiprocessing  systems  is 
conservative  over  the  untimcd  case.  Suppose  that  the  system  P  contains  no  delay  labels 
(recall  that,  in  this  case,  all  minimal  delays  are  0  and  all  maximal  delays  are  oo).  Then 
the  state  components  of  the  computations  of  Sp  are  precisely  the  legal  execution  sequences 
of  Py  as  defined  in  the  interleaving  model  of  conciirrency,  that  are  weakly  fair  with  respect 
to  every  transition  [91]:  no  process  can  stop  when  one  of  its  transitions  is  continuously 
enaWed.  Weak  fairness  for  every  individual  transition  and,  consequently,  progress  for  every 
process  is  guaranteed  by  the  maximal  delays  oo. 


2.2.  COyCRETE  MODEL:  MULTIPROCESSLyG  SYSTEMS 


2.2.3  Examples:  Time-out  and  timely  response 

To  demonstrate  the  scope  of  the  timed  transition  diagram  language,  we  model  two  extremely 
common  read-time  phenomena  as  shared-variables  multiprocessing  systems.  In  the  first 
example  [time-ovt),  a  process  checks  if  an  external  event  happens  within  a  certain  amount 
of  time;  in  the  second  example  {traffic  light),  a  process  reacts  to  an  external  event  and 
is  required  to  do  so  within  a  certain  amount  of  tune.  A  third  example  combines  several 
processes. 

Time-out 

To  see  how  a  time-out  situation  can  be  programmed,  consider  the  process  P  with  the 
following  timed  transition  diagram: 


WTien  at  the  location  to,  the  process  P  attempts,  for  10  time  units,  to  proceed  to  the  location 
/i ,  by  checking  the  value  of  *.  If  the  value  of  *  is  not  found  to  be  0,  then  P  does  not  succeed 
and  proceeds  to  the  alternative  location  fj  after  10  time  units.  The  choice  of  the  maximal 
delay  ti  determines  how  often  P  checks  the  value  of  z.  For  example,  if  tt  >  10,  then  P  may 
not  check  the  value  of  z  at  all  before  timing  out  after  10  time  units.  If  0  <  ti  <  10,  then 
P  has  to  check  the  value  of  z  at  least  once  every  u  time  units.  Consequently,  if  the  value 
of  z  is  0  for  more  than  u  time  units,  it  will  be  detected.  On  the  other  hand,  the  value  of  z 
being  0  may  go  undetected  if  it  fluctuates  too  frequently,  even  in  the  case  of  it  =  0. 

Traffic  light 

To  give  another  typical  real-time  application  of  embedded  systems,  let  us  design  a  traffic 
light  controller  that  turns  a  pedestrian  light  green  within  5  time  units  after  a  button  is 
pushed.  The  environment  is  given  by  the  following  process  E.  Whenever  the  request 
button  is  piuhed,  the  shared  boolean  variable  request  is  set  to  true: 
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[0, 0]  request  :=  true 


Recall  that  the  edge  labels  trael  and  [0,oo]  are  suppressed;  thus  we  have  no  knowledge 
about  the  frequency  of  requests. 

We  want  to  design  a  traffic  light  controller  Q  that  controls  the  status  of  the  traffic 
light  through  the  variable  light,  whose  value  is  either  green  or  red.  As  unit  of  time  we 
take  the  amount  of  time  it  takes  to  switch  the  light;  for  simplicity,  we  also  assume  that,  in 
comparison,  the  time  needed  for  local  operations  within  Q  is  negligible.  Now  let  us  specify 
the  desired  process  Q.  The  controller  Q  should  behave  in  such  a  way  that  the  combined 
system 

P  :  {request  =  false,  light  =  red}  [i?|i<?] 
satisfies  the  following  two  correctness  conditions: 

(A)  WTienever  request  is  true,  then  light  is  green  within  5  time  units  for  at  least  5  time 


(B)  Whenever  request  has  been  false  for  25  time  units,  then  light  is  red. 

The  first  condition,  (A),  ensures  that  no  pedestrian  has  to  wait  for  more  than  5  time  units 
to  cross  the  road  and  is  given  another  5  time  units  to  do  so;  the  second  condition,  (B), 
prevents  the  light  from  being  always  green.  Both  properties  are  real-time  safety  properties. 

It  is  not  hard  to  convince  ourselves  that,  once  it  is  st.^ed,  the  following  process  Q 
satisfies  the  specification: 


^request  — » 
liqhi  :=  red 


TeqvSt^:=f^e 


request  :=  false 


__IM] _ 

light  :=  green 
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for  any  delay  4  <  5  <  23.  This  implementation  of  the  traffic  light  controller  tiims  the  light 
green  2ls  soon  as  possible  after  a  request  is  received  and  then  waits  for  6  time  units  before 
turning  the  light  red  again.  Only  if  the  request  button  has  been  pushed  in  the  meantime, 
the  light  stays  green  for  another  S  time  units.  In  the  following  chapters,  we  will  state  both 
requirements  {A)  and  (J5)  in  a  formal  language  and  present  verification  algorithms  that 
prove  the  system  correct  with  respect  to  its  specification. 


Multiple  traffic  lights 

Let  us  generalize  the  traffic  light  example  and  design  a  system  that  reacts  to  several  external 
events.  We  wish  to  do  so  by  composing,  in  parallel,  processes  that  are  similar  to  Q.  At 
this  point  it  is  convenient  to  accept  some  additional  assumptions  about  the  frequencies  of 
the  external  events.  In  our  example,  suppose  that  the  distance  between  any  two  requests 
at  least  15  time  units;  that  is. 


Then  we  can  simplify  the  traffic  fight  controller  to 


for  any  delay  4  <  5  <  17.  The  combined  system 

P*  :  {reguest  =  /ofre,  light  =  red}  [£'|](5'] 
still  satisfies  both  correctness  requirements  (A)  and  (£). 
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Now  consider  a  more  complex  traffic  light  configuration,  with  two  lights  and  two  request 
buttons.  In  particular,  we  assume  that  the  second  light  is  designed  for  the  special  conve¬ 
nience  of  pedestrians  that  are  in  a  hurry:  it  is  required  to  t\im  green  within  3  time  units  of 
a  request  but,  on  the  other  hand,  has  to  stay  green  for  only  3  time  units.  While  pedestrians 
arrive  at  the  first  light  with  a  frequency  of  at  most  one  pedestrian  every  15  time  units,  we 
assume  that  the  more  urgent  requests  are  less  frequent  —  only  one  every  30  time  units: 


The  controller  for  both  lights  executes  the  following  two  processes: 


If  the  combined  traffic  light  controller  makes  use  of  two  processors  and  the  processes  Qi 
and  ^2  are  executed  in  a  truly  concurrent  fashion,  then  the  correctness  of  the  entire  system 

Pj)  :  {rogticstj  =  rcyuestj  =  [^ill-E^IlQilIQs] 

follows  from  the  correctness  of  its  parts.  Specifically,  if  4  <  <17  and  2  <  ^2  <  30,  then 

all  runs  of  P||  satisfy  the  following  conditions: 
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(i4i)  \Mienever  rcqvesti  is  true,  then  light^  is  green  within  5  time  units  for  5  time  units. 

{A2)  ^^^leneve^  request j  is  true,  then  hgkt^  is  green  within  3  time  units  for  3  time  units. 

(Bi)  Whenever  re^esti  has  been  fedse  for  25  time  units,  then  lighti  is  red. 

(Bj)  Whenever  request^  has  been  false  for  25  time  units,  then  lights  is  red. 

A  more  interesting  case  is  obtained  if  only  a  single  processor  is  available  to  control  both 
lights  and  the  two  processes  (?i  and  Q2  have  to  share  it.  Using  the  interleaving  (shuffle) 
operator  of  Hoaxe  [59],  we  denote  the  resulting  system  P|||  by  the  expression 

{reguesti  =  requestj  =  false,  lights  =  light2  =  red}  [PiHPrlKQillIQs)]- 

Note  that  the  behavior  of  the  environment  EiWE^  is  still  truly  concurrent  to  the  behavior 
of  the  traffic  light  controller  QiHIQj,  which  executes  both  processes  Q\  and  Qj  on  a  single 
processor  in  an  interleaved  fashion. 

Let  us  asrume  that  fii  =  10  and  ^2  =  2,  in  which  ctise  Pj|  is  correct.  However,  if  we  have 
no  knowledge  about  the  strategy  by  which  Qi  and  Q2  are  scheduled  on  the  same  processor, 
other  than  that  it  is  fair  (i.e.,  the  turn  of  each  process  will  come  eventually),  then  P|j|  does 
not  satisfy  the  specification  consisting  of  (Aj),  (A2),  (Pi),  and  (P2)-  For  suppose  that 
the  process  (Ji  is  always  given  priority  over  the  process  Q2,  and  the  traffic  light  controller 
receives  a  request  for  the  second  light  only  one  time  unit  after  it  has  received  a  request  for 
the  first  light.  Then  it  will  serve  the  first  request  by  turning  lightj^  green  and  (busy)  waiting 
for  10  time  units,  thus  violating  (A2). 

On  the  other  hand,  if  the  process  Q2  that  serves  the  more  urgent  yet  less  frequent 
requests  is  always  given  priority  over  the  process  Qi,  then  P|||  is  correct.  This  is  because 
of  the  low  frequency  of  requests  for  the  second  li^t  only  one  such  request  can  interrupt 
the  service  of  a  request  for  the  first  light.  Clearly,  this  argument,  which  depends  on  a  host 
of  possible  interleavings  of  four  processes,  calls  for  a  formal  proof.  Even  more  challenging 
is  the  task  of  deriving  sufficient  and  necessary  conditions  on  the  delays  and  S2  for  the 
correctness  of  the  system  P|||. 

2.2.4  Message  passing 

Note  that  asynchronous  message  passing  can  be  modeled  by  shared  variables  that  represent 
message  channels.  In  this  subsection,  we  extend  our  timed  transition  diagram  language  by 
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a  primitive  for  synchronous  (CSP-style)  message  passing,  that  can  be  used  for  the  synchro 
nization  and  communication  of  parallel  processes. 

Syntax 

A  (mc55a^e-pas5tn^)  multiprocessing  system  P  has  the  form 

where  ^  is  a  data  precondition  and  each  process  Pj,  for  1  <  f  <  m,  is  a  sequential  nondeter- 
ministic  real-time  program  over  the  finite  set  Ui  U  Ug  of  data  variables  (for  true  message- 
passing  systems,  we  may  assume  that  U,  =  0).  We  use  again  timed  transition  diagrams  to 
represent  processes,  but  enrich  the  repertoire  of  instructions  by  guarded  send  and  receive 
operations.  The  send  operation  a!c  outputs  the  value  of  the  expression  e  on  the  channel  a; 
the  receive  operation  q?z  reads  an  input  value  from  the  channel  a  and  assigns  it  to  the 
variable  x.  A  send  instruction  and  a  receive  instruction  match  iff  they  belong  to  different 
processes  and  address  the  same  channel: 


For  any  two  matching  communication  instructions  with  the  delay  intervals  [l,v]  and 
respectively,  we  require  that  max(/,/')  < 

Since  we  use  the  paradigm  of  s3mchronous  message  passing,  a  send  operation  can  be 
executed  only  jointly  with  a  matching  receive  operation.  Thus  the  intended  operational 
meaning  of  the  given  two  edges  is  as  follows.  Suppose  that,  for  moi(/,/')  time  units,  the 
control  of  the  process  Pi  has  resided  at  the  location  tj  and  the  control  of  the  process 
has  resided  at  the  location  tj,  and  the  guards  c  and  c'  have  been  continuously  true;  then  Pi 
and  Pi*  may  proceed,  synchronously,  to  the  locations  and  respectively.  On  the  other 
hand,  if  Pi  has  resided  at  tj  and  P,'  has  resided  at  ij,  and  the  guards  c  and  c'  have  been 
continuously  true  for  m;n(u,u')  time  units,  then  both  processes  must  proceed.  In  doing  so, 
the  current  value  of  e  is  assigned  to  x. 
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Semantics 

Synchronous  message  passing  can  be  formally  modeled  by  tuned  transition  systems.  V^e 
define  the  timed  -ramsition  system  Sp  =  (E,©,T, /, u)  that  is  associated  with  the  given 
message-passing  multiprocessing  system  P  as  in  the  shared-variables  case,  only  that  7" 
contains  an  additional  transition  for  ever}’  matching  pair  of  communication  instructions. 
Suppose  that  the  two  edges  E  (from  /’•  to  /j)  and  E'  (from  i'Jt  to  t^,)  in  the  timed  transition 
diagrams  for  Pi  and  Pp  are  labeled  by  the  matching  instructions  c  -♦  e!a  and  c'  ->  a?x, 
respectively.  Then 

•  T  contains,  for  the  matching  edges  E  and  E',  a  transition  such  that  €  TEjs'{tr) 
iff 


<r(5ri)  =  i)  and  ©^(ir.)  =  4, 

o-(irji)  =  Vj,  and  o-'(xi<)  =  /j^,, 

c  and  c'  are  true  in  <r  and  «r'(x)  =  <r(c), 

(P{y)  =  <r{y)  for  all  y  €  V  -  {xj,x,-.,x}. 

If  te  e'  is  uniquely  determined  by  its  source  and  target  locations,  we  often  write 

T*-‘'  ’ 

•  If  the  matching  edges  E  and  E'  are  labeled  by  the  minimal  delays  /  and  V,  respectively, 
let  Ir^^,  =  max{l,  V). 

•  If  the  matching  edges  E  and  E'  are  labeled  by  the  maximal  delays  u  and  u',  respec¬ 
tively,  let  =  m»n(u,u'). 

This  translation  defines  the  set  of  possible  computations  of  any  distributed  real-time  sys¬ 
tem  P  whose  processes  communicate  either  through  shared  variables  or  by  message  passing. 

Process  synchronixation 

Recall  that  the  component  processes  of  the  multiprocessing  system  PiljPs  may  start  at 
arbitrary,  even  vastly  different,  times.  An  important  application  of  synchronous  message 
passing  is  the  synchronization  of  parallel  processes.  Let  Pi  and  Pj  be  two  real-time  processes 
whose  timed  transition  diagrams  have  the  entry  locations  and  I’espectively,  and  let  o 
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be  a  channel.  Now  consider  the  two  processes  Pi  and  P2  whose  timed  transition  diagrams 
are  obtained  from  the  transition  diagrams  for  Pi  and  P2  by  adding  new  entry  locations: 


The  added  message-passing  operations  have  the  effect  of  synchronizing  the  start  of  the  two 
processes  Pi  and  P2  (whenever  message  passing  is  used  for  the  purpose  of  process  synchro¬ 
nization  only,  the  data  that  is  passed  between  processes  is  immaterial  and  the  data  compo¬ 
nents  of  the  instructions  are  usually  suppressed).  It  follows  that  the  component  processes  of 
the  multiprocessing  system  P1IIP2  start  synchronously,  at  the  exact  same  (arbitrary)  time. 

From  now  on,  we  shall  write  Pi||#P2  for  the  system  P  whose  component  processes  Pi 
and  P2  start  synchronously;  that  is,  the  notation  Pi\\sP2  is  an  abbreviation  for  the  message¬ 
passing  system  AllPj-  Eqoiivalently,  we  can  directly  define  the  formal  semantics  Sp  of  the 
synchronous  multiprocessing  system  Pil|,P2  as  containing  a  single  entry  transition  for 
both  processes  Pi  and  P2;  namely,  t/  <=  TQ*^(«r)  iff 

©•(wi)  =  a{ir2)  =  ±, 

=  ^0  and  cr'(^2)  =  ily 
c^{y)  =  <r(y)  for  all  y  €  -  {^1,^2}. 

It  is  not  hard  to  generalize  our  notion  of  s3mchronous  message  passing  to  synchronous 
broadcasting,  which  allows  arbitrarily  many  parallel  processes  to  synchronize  simultaneously 
on  joint  transitions. 

2.3  Concrete  Model:  Multiprogramming  Systems 

While  the  interleaving  model  for  concurrency  identifies  true  parallelism  (miiltiprocessing) 
with  nondeterminism  (multiprogramming),  tbs  traffic  light  example  of  Subsection  2.2.3 
suggests  that  the  ability  of  a  system  to  meet  its  real-time  constraints  depends  crucially  on 
the  number  of  processors  that  are  available  and  the  process  allocation  algorithm.  This  is 
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vividly  demonitrated  by  the  following  trivial  system  consisting  of  the  two  processes  Pi  and 

P2: 

Pi: 

P2: 

If  both  processes  are  executed  in  parallel  on  two  processors,  we  denote  the  resulting  system 
by  P1IIP2  (or  Pi|]<P2,  if  the  processes  are  started  at  the  same  time);  if  they  share  a  single 
processor  and  are  executed  one  transition  at  a  time  according  to  some  scheduling  strategy, 
the  composite  system  is  denoted  by  P1IIIP2. 

In  the  imtimed  case,  it  is  the  very  essence  of  the  interleaving  semantics  to  identify  both 
systems  with  the  same  set  of  possible  (interleaved)  execution  sequences  —  the  stuttering 
closure  of  the  two  untimed  behaviors 

(a  state  is  an  interpretation  of  the  two  control  variables  xi  and  X2).  Real  time,  however,  can 
distinguish  between  true  concurrency  and  (sequential)  nondeterminism:  if  both  processes 
start  synchronously,  then  the  parallel  execution  of  Pi  and  P2  terminates  within  1  time  unit; 
on  the  other  hand,  any  interleaved  sequential  execution  of  Pi  and  P2  takes  2  time  units. 
This  distinction  must  be  captured  by  our  model: 

Multiprocessing  In  the  two-processor  case  P1IUP2,  we  obtain  as  computations  the  stut¬ 
tering  closure  of  the  two  real-time  behaviors 

(±,±,0)  — ►  (fo>^>®)  — ^ 

(±,±,0)  — '  (4,4.0)  — .  (4,4.1)  ^  (4,4,1)  ^  (4,4,1). 

where  the  third  component  of  every  triple  denotes  the  time.  Note  that  the  system 
P1IIP2  has  more  computations,  because  the  time  difference  between  the  start  of  Pi 
and  the  start  of  P2  can  be  arbitrarily  large. 
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Multiprogramming  In  the  time-sharing  case  Pi i IIP?,  the  set  of  computations  will  be 
defined  to  be  essentially  the  stuttering  closure  of  the  two  real-time  behaviors 

(±,0)  — *  (4.f5,0)  — *  (4,/g,l) 

(1,0)  (iJ.fg.O)  ^  —  (4,/*, 2)  (^i,/^2). 

We  write  “essentially,”  because  we  will  augment  the  state  by  information  about  the 
status  of  the  two  processes  (either  active  or  suspended).  Abo,  observe  that  we  have 
silently  assumed  that  the  sv/apping  of  processes  is  instantaneous  and  that  neither 
process  has  priority  over  the  other  process.  All  of  these  issues  will  be  discussed  in 
detail  later. 

Thus,  when  time  is  of  the  essence,  we  can  no  longer  ignore  the  difference  between  multipro¬ 
cessing,  where  each  parallel  task  is  executed  on  a  separate  machine,  and  multiprogramming, 
where  several  tasks  reside  on  the  same  machine.  In  this  section,  we  first  show  how  our  model 
extends  to  concrete  recil-time  systems  that  consist  of  a  fixed  number  of  sequential  programs 
that  are  executed,  by  time-sharing,  on  a  single  processor.  Then  we  use  our  framework  to 
represent  general  multiprogramming  systems,  in  which  several  processes  share  a  pool  of 
processors  statically  or  dynamically, 

2.3.1  Syntax  and  semantics 
A  muliiprogrammiTig  system  P  has  the  form 

W[Pall|.-.|||Pm]. 

Each  process  P{y  for  1  <  i  <  tn,  is  again  a  sequential  nondeterzninistic  real-time  program 
over  the  finite  set  U  of  data  variables,  whose  initial  values  satisfy  the  data  precondition  f . 
We  represent  the  real-time  programs  Pi  by  timed  transition  diagrams  as  before.  Note, 
however,  that  in  the  multiprogrammiag  case  the  control  of  the  (single)  processor  resides  at 
one  particular  location  of  one  particular  process.  Thus  the  intended  operational  meaning 
of  the  edge 
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is  as  follows.  The  minimal  delay  /  guarantees  that  whenever  the  control  (of  the  single 
processor)  has  resided  at  the  location  Pj  for  at  least  I  time  units  and  the  guard  c  is  true, 
then  the  control  may  proceed  to  the  location  The  maximal  delay  u  ensures  that  whenever 
the  control  has  resided  at  tj  for  u  time  units  and  the  guard  c  is  true,  then  it  must  proceed 
to  i\.  This  is  because  no  other  process  can  interfere  with  the  active  process  and  change  the 
value  of  c. 

The  operational  view  of  the  concrete  model  is  again  captured  formally  by  a  translation 
into  timed  transition  systems.  With  the  given  multiprogramming  system  f ,  we  associate 
the  following  timed  transition  system  Sp  = 

1.  E  contains  all  interpretations  of  the  finite  set 

V  =  UU{fX,Xu...Tfn} 

of  data  and  control  vari#>bles.  There  are  two  kinds  of  control  variables,  the  processor 
control  variable  y,  ranges  over  the  set  l};  each  process  control  variable  iTj, 

for  1  <  t  <  m,  ranges  over  the  set  Li  of  locations  of  the  process  Pi. 

The  value  of  the  processor  control  variable  y  is  ±  (undefined)  before  the  (single) 
processor  starts  executing  processes;  thereafter  the  control  of  the  processor  resides  at 
the  location  of  the  process  We  :>ay  tuat  P^  is  active,  while  all  other  processes  P;, 
t  /X,  are  saspended  (if  the  value  of  /x  is  undefined,  then  aH  processes  are  suspended  .. 
The  process  control  variable  of  a  suspended  process  indicates  the  location  at  which 
the  execution  of  P^  will  resume  when  P^  gains  control  of  the  processor. 

2.  6  is  the  set  of  aH  states  <r  €  E  such  that  is  ime  in  <r,  and  (r{y)  =  and  <r{^i)  — 
for  all  1  <  t  <  m, 

3.  T  contains,  in  addition  to  Jie  idle  transition  rj,  an  action  transition  rg  for  every 

edge  E  in  the  timed  transition  diagrams  for  Pi,... Pm*  If  E  connects  the  source 
location  to  the  target  location  and  is  labeled  by  the  instruction  c  2, 

then  <r*  €  rsicr)  iff 

=  t, 

4  =  4> 

c  is  true  in  <r  and 

^(y)  =  ^(y)  for  all  y  €  V  - 
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Furthermore,  there  are  scheduling  transitions  t  £  T  that  change  the  status  of  the 
processes  by  resuming  a  suspended  process;  €  t{(t)  implies  that 

^{y)  =  f^{y)  for  all  y  6  V. 

The  scheduling  policy  determines  the  set  of  scheduling  transitions. 

A  scheduling  transition  r  is  called  an  entry  transition  iff  it  is  enabled  on  some  initial 
states.  We  restrict  ourselves  to  scheduling  policies  with  a  single  entry  transition,  tq, 
that  is  enabled  on  all  initial  states.  Moreover,  we  reqTiire  that  a'  €  To(tr)  implies  that 

c(m)  =  ±, 

(P{y)  =  <r(y)  for  all  y  e  V  -  {/i}; 

that  is,  the  entry  transition  tq  is  enabled  precisely  on  the  initial  states  and  activates, 
perhaps  nondetermin  istically,  one  of  the  competing  processes. 

4.  For  every  edge  E  labeled  by  the  minimal  delay  /,  let  Ir^  =  /.  Forthermore,  =  0. 

5.  For  every  edge  E  labeled  by  the  maximal  delay  u,  let  Ur,  =  ti.  Furthermore,  tt,,,  =  oo. 

The  computations  of  Sp  clearly  depend  on  the  scheduling  transitions  and  their  delays. 

In  the  untimed  case,  the  scheduling  issue  can  be  reduced  to  fairness  assumptions  about 
the  scheduling  policy:  correctness  of  an  untimed  multiprogramming  system  is  generally 
shown  for  all  fair  scheduling  strategies.  It  makes,  however,  little  sense  to  to  desire  that 
a  multiprogramming  system  satisfies  a  real-time  requirement  under  all  (fair)  scheduling 
strategies,  because  the  scheduling  algorithm  usually  determines  if  a  system  meets  its  timing 
constraints.  In  fact,  fair  scheduling  strategies  admit  thrashing:  by  switching  control  too 
often  between  processes,  only  scheduling  transitions  may  be  performed,  because  no  action 
transition  is  enabled  long  enough  so  that  it  has  to  be  taken;  thus  the  system  may  make 
no  real  progress  at  all  and  may  certainly  not  meet  any  real-time  deadlines.  Consequently, 
we  study  the  correctness  of  a  real-time  multiprogramming  systems  always  with  respect  to 
a  particular  given  scheduling  policy. 

2.3.2  Scheduling  strategies 


A  scheduling  strategy  may  be 
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Implicit  or  explicit  The  scheduling  transitions  of  implicit  scheduling  policies  are  defined 
directly  and  uniformly  for  an  entire  class  of  timed  transition  systems,  independent  of 
the  concrete  system  that  is  being  modeled.  A  typical  example  of  an  implicit  strat¬ 
egy  is  greedy  scheduling,  which  allows  the  active  process  to  remain  active  as  long 
as  possible.  Explicit  scheduling  policies  are  defined  ly  the  concrete  system  itself. 
They  are  specified  by  scheduling  instructions  that  are  part  of  the  individual  process 
descriptions. 

Centralized  or  distributed  AD  scheduling  instructions  of  a  centralized  poDcy  are  con¬ 
centrated  in  one  of  the  processes  —  the  scheduler.  In  distributed  pcdicies,  any  of  the 
processes  may  make  scheduling  decisions. 

Static  or  dynamic  Unlike  static  pdicies,  dynamic  scheduling  poDcies  may  change  over 
time,  possibly  conditional  on  the  values  of  data  variables. 

Neither  this  attexiq)t  at  a  classification  nor  the  foDowing  selection  of  scheduling  strategies 
is  intended  to  be  categorical  or  comprehensive;  we  simply  try  to  examine  what  we  think 
is  a  representative  variety  of  different  scheduling  mechanisms  and,  in  the  process,  hope  to 
convince  ourselves  of  the  utility  of  the  timed  transition  system  model.  Throughout  this 
subsection  we  assume  a  fixed  multiprogramming  system 

P:  W[J»ill|...|llPm] 

and  the  scheduling  transitions  of  the  associated  timed  transition  system  Sp  for  various 
scheduling  algorithms. 

Greedy  scheduling 

The  simplest  reasonable  scheduling  strategy,  as  weD  as  our  default  strategy,  is  greedy.  Ac¬ 
cording  to  this  pdhcy,  the  process  that  is  currently  in  control  of  the  processor  remaiiu  active 
untD  aU  its  transitions  are  disabled;  at  this  point  an  arbitrary  other  process  with  an  enabled 
transition  takes  over.  FormaUy,  the  set  T  of  transitions  of  Sp  contains,  in  addition  to  the 
entry  transition  To,  a  single  scheduling  transition,  tc,  with  e'  €  foW)  1^ 

-L, 

=  ®^(y)  for  afl  y  e  V  -  {/i}. 
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Tsitr)  =  0  for  all  action  transitions  te, 

#  0  for  some  action  transition  te. 

If  there  is  no  cost  associated  with  swapping  processes,  then  Lra  =  =  0;  if  switching 

processes  is  not  instantaneous,  then  the  minimal  and  wwiTimAl  delays  of  tc  can  be  adjusted 
accordingly. 

Scheduling  instructions 

More  flexible  scheduling  strategies  can  be  implemented  with  explicit  scheduling  opere  tions. 
For  this  purpose,  we  enrich  our  programming  language  by  the  instruction  resttme(s),  where 
s  C  {1, . . .  m}  determines  a  subset  of  processes.  The  scheduling  operation  resume{s)  sus¬ 
pends  the  currently  active  process,  say.  Pi  and  activates,  nondeterministically,  one  of  the 
processes  Pj  with  j  (•  s: 


resvmel  si 


We  write  resume{j)  for  res«ine({y})  »od  suspend  for  rcsiime({l  <  j  <  m  \  j  ^  f});  that  is, 
the  instruction  suspend  delegates  the  control  from  the  currently  active  process  to  any  one 
of  the  competing  processes. 

Formally,  the  set  7*  of  transitions  of  Sp  contains,  in  addition  to  the  entry  transition  tq, 
a  scheduling  transition  te  lot  every  resume  edge  E  in  the  timed  transition  diagrams  for 
Pif-  Pm-  ^  E  connects  the  source  location  to  the  target  location  ^  and  is  labeled  by 
the  instruction  c  —»  re5«me(s),  then  e*  €  iff 

o{n)  =  i  and  6  s, 

=  Pj  “d 
c  is  true  in  tr, 

o^(y)  =  <r(y)  for  all  y  6  V  -  {#»,»<}• 


Furthermore,  for  every  scheduling  edge  E  labeled  by  the  minimal  delay  I  and  the  Tn*TiTTiiil 
delay  ti,  let  Itb  =  /  and  Urg  =  u. 
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Delays  and  timers 
Note  that  the  instruction 


modek  a  busy  wait;  the  process  Pi  occupies  the  processor  for  10  time  units  while  wedting. 
To  implement  a  nonbusy  wait,  in  which  P»  releases  the  processor  to  a  competing  process 
for  10  time  units  before  resuming  execution,  we  uie  a  timer  T  (alarm  clock)  as  a  parallel 
process: 


We  make  sure  that  the  timer  T  is  started  (i.e.,  waiting  for  activation)  when  the  process  P* 
becomes  active.  Then  the  timer  is  activated  by  the  sequence 


W  [o;(§  W 


This  timer  construction 

W[(Alll...|||Pm)il.r] 
is  abbremted  by  the  delay  instruction 


delavia) 


l^.u] 


which  allows  us  to  program  nonbusy  delays  without  explicit  timers.  We  assume  that  there 
exists,  iiiq)licitly,  a  unique  timer  process  for  every  delay  instruction  in  a  timed  transition 
diagranL 
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Round-robin  scheduling 

A  construction  that  is  similar  to  the  timer  example  allows  us  to  implement  a  round-robin 
scheduling  strategy  for  two  processes  Pi  and  P2  that  share  a  single  processor.  In  the  system 
(‘Pilll^2)il#5,  the  scheduler 


re5ttme(l) 


gives  each  of  the  two  processes  Pi  and  P2  in  turn  10  time  units  of  processor  time.  Needless 
to  say,  the  explicit  scheduling  instructions  give  us  the  ability  to  design  more  sophisticated 
schedulers  as  well. 

2.3.3  Processor  allocation 

Both  the  multiprogramming  system  with  a  timer  and  the  multiprogramming  system  with 
a  central  scheduler  are,  in  fact,  combinations  of  multiprocessing  and  multiprogramming 
systems  in  which  several  tasks  compete  for  some  of  the  processors.  In  these  systems,  the 
question  of  scheduling,  which  deterxiunes  the  processor  time  that  is  granted  to  individual 
processes,  is  preceded  by  the  question  of  processor  allocation,  which  determines  the  assign¬ 
ment  of  processes  to  processors.  This  assignment  can  be 

Static  Every  process  is  assigned  to  a  fixed  processor. 

Dynamic  A  set  of  processes  conq>etes  for  a  pool  of  processors.  Over  time,  processes  may 
reside  at  different  processors. 

We  only  hint  how  this  general  notion  of  real-time  system  fits  into  our  framework  and 
can  be  modeled  by  timed  transition  systems.  A  static  (shared- variables  or  message-passing) 
system  P  with  k  processors  is  of  the  form 


WK^u  III . .  •  )ll . . .  UPkAlW . . .  II|P*.«J]; 
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that  is,  mi  processes  compete  for  the  »-th  processor.  The  definition  of  the  associated  timed 
transition  system  Sp  is  straightforward:  every  processor  has  its  own  process  control  vari¬ 
able  1  <  *  <  which  ranges  over  the  set  of  competing  processes  and 

designates  the  active  process.  Furthermore,  every  processor  operates  according  to  a  local 
scheduling  policy  with  a  single  entry  transition  Tq,  1  <  *  < 

To  model  systems  in  which  a  process  competes  for  more  than  one  processor,  we  simply 
write 

for  the  dynamic  system  in  which  m  processes  compete  for  k  processors  according  to  some 
global  processor  allocation  and  scheduling  policy.  For  these  systems,  it  is  useful  to  have 
a  more  general  scheduling  instruction,  resume{sjz)^  which  interrupts  the  process  that  is 
currently  active  on  processor  x  and  activates,  on  processor  a,  one  of  the  processes  from  the 
set  j. 

2.2.4  Priorities  and  interrupts 

While  the  explicit  scheduling  instructions  of  the  previous  subsection  gi^e  us  the  flexibility 
to  design  a  scheduler,  we  often  wish  to  adapt  a  simple,  static  scheduling  strategy  without 
having  to  explicitly  construct  a  scheduler.  In  this  subsection,  we  ofler  this  possibility  by 
generalixing  the  greedy  strategy.  We  assign  a  priority  to  every  transition,  and  at  any  point  in 
a  computation,  choose  only  among  the  transitions  with  the  highest  priority.  If  the  transition 
with  the  highest  priority  belongs  to  a  suspended  process,  then  the  currently  active  process 
is  interrupted  and  the  execution  of  the  suspended  process  is  resumed. 

A  priority  system  P  is  a  (shared-variables  or  message-passing,  static  or  dynamic)  system 
in  which  a  priority  is  associated  with  every  instruction;  that  is,  every  edge  in  the  timed 
transition  diagrams  for  P.  We  use  nonnegative  integers  as  priorities  (0  being  the  highui 
priority),  and  annotate  an  edge  with  a  priority  p  €  N  as  follows: 


We  formalize  the  priority  semantics  only  for  simple  multiprogramming  systems;  the 
generalization  to  systems  with  several  processors  is  straightforward.  With  a  given  priority 
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system 

P:  {6}{Pi\\\...\\\Pm], 

we  associate  the  following  timed  transition  system  Sp  =  {E,0,5r,/,  ti): 

•  £  and  6  are  as  before. 

•  T  contains,  in  addition  to  r/,  an  action  transition  rg  for  every  assignment  edge  E 
in  the  transition  diagrams  for  Pi, ...  If  P  connects  the  sonree  location  to  the 
target  location  t\  and  is  labeled  by  the  instruction  p:  c  -*♦  f  :=  2,  then  a  -♦£  r'  iff 

<^(*'»)  =  ^ 

c  is  true  in  a  and  <r*(x)  =  <r(c), 
a'(v)  =  tr(y)  for  aB  »  €  V  - 

Then  €  Tsier)  iff 

<r  -*£  o*  and  =  t  and 

there  is  no  edge  E'  that  is  labeled  by  a  higher  priority  j/  <  p  such  that 
tr  —*£•  o*'  for  some  a". 

For  any  matching  pair  of  communication  edges  E  and  E*  that  are  labeled  by  the 
priorities  p  and  p',  respectively,  we  take  the  higher  priority  mtn(p,p')  for  the  combined 
transition  tejs>  (although  this  choice  is  arbitrary  and  may  be  reversed,  if  the  need 
arises). 

Furthermore,  there  is,  in  addition  to  the  entry  transition  To,  a  scheduling  transition  rp 
such  that  e*  €  Tp(^)  iff 

‘Km)  A, 

e'ip)  =  <r(y)  for  all  p  €  V  -  {p}, 

Ts(er)  =  0  for  all  action  traiuitions  T£, 
tb{<P)  #  0  for  some  action  transition  te- 

•  Let  Irg  and  Urg  he  as  before,  and  choose  Lr,  and  Ur^  to  represent  the  cost  of  swi^>ping 
processes. 

Note  that  if  all  transitions  have  equal  priority,  then  the  scheduling  strategy  is  greedy.  Thns 
priorities  extend  our  previous  discussion  conservativdy:  all  systems  can  be  viewed  as  priority 
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systems  whose  instructioiis  have  the  same  default  priority,  unless  they  are  annotated  with 
explicit  priorities  (that  is,  tq  =  rp). 

Dynamic  priorities 

Priorities  can  be  combined  with  explicit  scheduling  operations  in  the  obvious  way.  It  is, 
however,  often  more  convenient  to  model  dynamic  schedxiling  strategies  by  dynamic  pri¬ 
orities,  which  can  be  changed  by  any  process  during  execution.  Dynamic  priorities  offer 
exciting  possibilities,  such  as  the  ability  of  a  process  to  increase  or  decrease  its  own  priority. 
Moreover,  they  are  easily  incorporated  into  our  framework;  we  simply  use  data  variables 
that  range  over  the  noxmegative  integers  N  as  priorities.  Instead  of  giving  the  formal  se¬ 
mantics  of  dynamic  priorities,  which  is  constructed  straightforwardly  from  the  semantics 
of  constant  (static)  priorities,  we  present  an  interesting  real-time  application  of  dynamic 
priorities. 

We  have  not  yet  pointed  out  that  our  interpretation  of  message  passing  is  not  en¬ 
tirely  conservative  over  the  untimed  case:  there  the  set  of  possible  computations  umaUy  is 
restricted  by  strong-fairness  assumptions  for  communication  transitions  [91].  This  is  con¬ 
venient  for  the  study  of  time-independent  properties  of  a  system,  where  simple  fairness 
assumptions  about  '^ondeterministic”  branching  points  abstract  complex  implementation 
details.  Consider,  for  example,  the  multiprocessing  system  Pi\\P2\\Q  that  consists  of  the 
following  three  processes  Pi,  P3,  and  Q: 
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(Recall  that  we  may  omit  the  data  components  of  message-passing  operations,  if  they  are 
immaterial.)  The  arbiter  Q  mediates  between  the  two  processes  Pi  and  P2  and  uses  syn¬ 
chronous  communication  on  the  two  channels  q  and  0  to  ensure  mutual  exclusion:  Pi  and  Pj 
can  never  be  simultaneously  in  their  critical  sections  l\  and  respectively. 

Strong-fairness  assumptions  on  the  communication  transitions  are  used  to  guarantee 
that,  in  addition,  neither  of  the  two  processes  Pi  and  P?  is  shut  out  from  its  critical  section 
forever:  the  arbiter  cannot  always  prefer  one  process  over  the  other.  Any  such  infinitary 
fairness  assumption,  however,  is  clearly  without  bearing  on  the  satisfaction  of  a  real-time 
requirement  such  as  the  demand  that  a  process  has  to  wait  at  most  10  time  units  before 
being  able  to  enter  its  critical  section.  As  has  been  the  case  with  scheduling,  we  have  again 
encountered  a  situation  in  which  the  infinitary  notion  of  “fairness”  is  adequate  for  proving 
untimed  properties,  yet  entirely  inadequate  for  proving  real-time  constraints.  To  verify 
compliance  with  real-time  requirements,  we  can  no  longer  forgo  an  explicit  description  of 
how  the  arbiter  Q  decides  between  the  two  processes  Pi  and  Pj  when  both  are  waiting  to 
enter  their  critical  sections.  For  instance,  the  following  refinement  Q'  of  Q  never  makes  the 
same  “nondeterministic”  choice  twice  in  a  row: 


(We  use  semicolons  to  concatenate  instructions;  the  default  value  of  priorities  it  assumed 
to  be  0.)  The  arbiter  modifies  the  priorities  p  and  q  of  its  nondeterministic  alternatives  to 
ensure  that  the  system 

0>=9=0}[P,||P,||(?'] 

satisfies  the  requirement  that  each  process  has  to  wait  at  most  10  time  units  before  being 
able  to  enter  its  critical  section.  Note  that  none  of  the  two  nondeterministic  alternatives  is 
ever  disabled,  but,  at  any  time,  one  of  them  is  “preferred.” 
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Finitary  branching  fairness 

Since  infinitaTy  fairness  assumptions,  such  as  weak  fcumess  for  scheduling  and  strong  fairness 
for  synchronization,  arc  insufficient  to  guarantee  the  satisfaction  of  real-time  deadlines,  one 
may  like  to  add  finitary  branching  conditioiu  to  timed  transition  systems.  Such  a  finitary 
notion  of  fairness  would  restrict  the  ncndetenninism  of  a  system.  We  may  want  to  require, 
for  example,  that  no  competitor  of  a  transition  r  can  be  taken  more  vhan  n  times  without  r 
itself  being  taken  (a  similar  concept  has  been  called  bounded  fairness  by  Jayasimha  [67]). 
We  prefer,  both  for  schediiling  and  synchronization,  an  explicit  description  of  the  selection 
process  to  such  implicit  assumptions.  Since  aU  selection  processes  that  we  have  found  useful 
can  be  described  within  our  language,  we  see  no  need  to  introduce  additional  concepts  that 
would  only  complicate  any  verification  methodology. 


Chapter  3 

Real-time  Logics 

Real-time  logics  axe  logics  that  are  interpreted  over  infinite  timed  state  sequences.  Every 
formula  of  a  real-time  logic  defines  (specifies)  real-time  property  n(^)  —  the  set  of  all 
models  of  We  apply  two  criteria  to  measure  x'^e  fitness  of  a  logic  as  a  specification  and 
verification  fonnalis  n: 

Expressiveness  Which  rtal^time  properties  can  be  specified?  The  expressive  power  of 
a  logic  £  is  measured  as  the  set  of  real-time  properties  that  are  definable  by  the 
propositional  fragment  of  £:  a  real-time  property  11  can  be  specified  iff  there  is  a 
propositional  formiila  ^  of  £  such  that  11  contains  exactly  the  models  of  <f>, 

Con^lexity  Sow  difficult  is  it  to  verify  the  expressible  properties?  The  complexity  of  a 
logic  £  is  measured  by  the  computational  complexity  of  the  decision  (validity)  problem 
for  the  propositional  fragment  of  £:  given  a  propositional  formula  ^  of  £,  is  every 
timed  state  sequence  a  model  of  The  difficulty  of  this  problem  is  closely  related  to 
the  hardness  of  the  verification  problem  for  finite- state  systems. 

The  restriction  to  the  propositional  fragment  of  a  logic 

1.  gives  us  information  about  the  intrinsic  structural  expressiveness  and  complexity  of 
the  logic,  independent  of  the  adjunction  of  first-order  data  domains,  and 

2.  is  necessary  to  obtain  decision  procedures.  These  can  then  be  used  for  the  the  algo¬ 
rithmic  verification  of  finite-state  systems,  because  any  finite  number  of  states  can  be 
modeled  by  a  finite  number  of  boolean- valued  propositions. 
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We  study  classical  as  well  as  modal  real-time  logics.  First  we  identify  a  fundamental 
boundary  between  decidable  and  xmdecidable  classical  theories  of  timed  state  sequences. 
Then  we  introduce  two  line,ar-time  propositional  temporal  logics  for  the  specification  of 
real-time  properties  —  timed  temporal  logic  TPTL  and  metric  temporal  logic  MTL.  Both 
langu^es  are  shown  to  be  as  expressive  as  the  maximal  decidable  classical  theory  of  timed 
state  sequences.  In  the  second  part  of  the  thesis,  we  will  identify  the  complexity  of  both 
logics  and  present  algorithms  as  well  as  proof  systems  for  the  verification  of  timed  transition 
systems  with  respect  to  specifications  that  are  given  as  formulas  of  TPTL  or  MTL. 


3.1  From  Temporal  to  Real-time  Logics 


Since  proposed  by  Pnueli  [106],  linear  temporal  logic  has  firmly  established  itself  as  a  suit¬ 
able  specification  language  for  many  untimed  properties  of  reactive  systems  (consult,  for 
ex2imple,  [77,  91, 108]).  The  tableau-based  decision  procedure  for  its  propositional  version, 
PTL,  provides  a  proven  tool  for  the  algorithmic  verification  and  synthesis  of  finite-state 
systems  [83,  94].  Finite  axiomatizations  of  PTL  [40]  have  led  to  relatively  complete  prorf 
systems  for  the  deductive  verification  of  reactive  systems  [92]. 

PTL  is  interpreted  over  infinite  sequences  states.  Its  practical  appeal  stems  largely 
from  the  strong  theoretical  connections  that  PTL  enjoys  with  the  classical  first-order  the¬ 
ory  of  the  natural  numbers  with  linear  order  and  monadic  predicates;  PTL  captures  an 
elementary,  yet  expressively  complete,  fragment  of  this  nonelementary  theory  [40];  that  is, 
any  property  of  state  sequences  that  is  definable  in  the  monadic  first-order  theory  of  (N,  <) 
can  also  be  specified  in  PTL,  which  has  a  much  sinq>ler  decision  problem. 

The  formulas  of  PTL  cannot  refer  explicitly  to  time.  Furthermore,  the  interpretations 
of  PTL  —  state  sequences  —  abstract  away  from  the  actual  times  of  state  changes  and 
retain  only  the  temporal  ordering  information  of  states.  To  admit  the  specification  of  timing 
requirements  of  reactive  systems,  we  have  to 

1.  extend  the  syntax  of  PTL  by  introducing  er^licit  references  to  time,  and 

2.  extend  the  semantics  of  PTL  by  interpreting  formtilas  over  timed  state  sequences, 
which  associate  a  time  with  every  state. 
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We  wish  to  carry  out  Lt  .h  extensions  in  a  way  that  does  not  only  yield  a  language  that 
allows  the  “natural”  specification  of  the  real-time  properties  that  encountered  in  practice, 
but  also  preserves  the  desirable  theoretical  qualities  of  PTL: 

Expressive  completeness  We  want  to  be  able  to  characterize  the  expressive  power  of 
a  real-time  specification  language  in  comparison  to  a  classical  theory  of  timed  state 
sequences.  A  logic  is  called  expressively  complete  with  respect  to  a  classical  theory  iff 
the  same  class  of  (real-time)  properties  is  definable  in  both  languages. 

Elementary  decidability  We  want  to  be  able  to  generalize  the  PTL-based  tools  for  the 
algorithmic  verification  and  synthesis  of  finite-state  systems. 

Finite  axioriatizability  We  want  to  be  able  to  generalize  the  PTL-based  proof  tech¬ 
niques  for  the  deductive  verification  of  reactive  systems. 

To  meet  these  objectives,  we  will,  in  particular,  have  to  identify  the  class  of  timing  con¬ 
straints  that  may  be  added  to  PTL  without  sacrificing  its  (elementary)  decidability. 

Later  in  this  chapter,  we  will  present  two  extensions  of  PTL  that  satisfy  our  criteria. 
First,  however,  let  us  review  both  PTL  and  the  “obvious”  —  and  most  commonly  proposed 
—  way  to  introduce  time  explicitly  into  PTL,  and  let  us  illustrate  why  it  falls  short  of  our 
aspirations.  Throughout  this  chapter  and  the  remaining  chapters  of  this  thesis,  we  shah 
interpret  logics  over  infinite  sequences  (of  states  or  observations)  only;  so  whenever  we  refer 
to  a  (timed)  state  sequence,  we  refer,  by  default,  to  a  sequence  in  TSS'^. 

3.1.1  Linear  temporal  logic 

Let  P  =  {p,  9,  •  •  •}  a  set  of  propositions.  A  state  determines  the  truth  value  of  all  proposi¬ 
tions.  We  write  o’  h  p,  and  say  that  o  is  a  “p-state,”  iff  the  proposition  p  is  true  in  state 
tr.  Thus  we  may  identify  states  with  subsets  of  propositioiu  (let  p  C  o  iff  o  f=  p). 

Propositional  linear  temporal  logic  (PTL)  is  a  modal  logic  that  is  interpreted  over  infinite 
sequences  of  states.  The  formulas  of  PTL  are  built  from  propositions  by  boolean  connectives 
and  temporal  operators.  For  example,  the  formula  Op  is  true  over  a  state  sequence  cr  iff  the 
proposition  p  is  true  in  every  state  of  o.  Thus  the  temporal  operator  □  can  be  intuitively 
thought  of  as  capturing  the  temporal  notion  “always.”  The  operator  O  formalizes  the  dual 
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notion  “eventually”:  the  fonnula  Op  is  true  over  a  state  sequence  c  iflf  the  proposition  p  is 
true  in  some  state  of  cr. 

Syntax  and  semantics 

More  precisely,  the  logic  PTL,  as  defined  by  Gabbay,  Pnueli,  Shelah,  and  Stavi  [40],  contains 
two  basic  temporal  operators  —  Q  ^  (antiZ)  —  from  which  other  operators, 

including  □  {always)  and  O  {eventually)^  can  be  defined.  Thus  the  formulas  ^  of  PTL  are 
inductively  defined  as  follows: 

<t>  '■=  p\  false  !  ^  ^2  I 

for  p  €  P.  Additional  boolean  connectives  are  defined  in  terms  of  the  two  connectives  false 
and  — ►  as  usual.  Moreover, 

Eventually  04>  stands  for  irueU<f>, 

Always  stands  for 

Unless  ^  U  ^  stands  for  V  The  temporal  unless  operator  U  is  sometimes 

called  weak  imtil,  as  opposed  to  the  “strong”  until  operator  U, 

A  PTL-formula  ^  is  satisfiabte  (valid)  iff  it  is  true  over  some  (every)  infinite  sequence 
of  states.  The  formula  ^  is  true  over  the  infinite  state  sequence  iff  o'  f=  ^  for  the  following 
inductive  definition  of  the  satisfaction  relation  [= : 

c^p  iff  p  €  Co- 

c  ^  false. 

c  \s:  ^  ^  4^  iff  c\^  4^  implies  c^4>2- 

c  ^  0^  ^  c^  4* 

iff<r*|=^for  some  i  >  0,  and  c^  ^  for  all  0  <  j  <  i. 

Consequently,  the  until  formula  pU  q  requires  that  p  holds  imtii  the  first  subsequent  g-state 
and  that  there  is  such  a  g-state;  the  unless  formula  p\Jq  requires  that  r  holds  either  until 
the  next  g-state  or  forever,  if  there  no  such  g-state  exists.  In  the  foDowing  segi.v?ct,  we  give 
some  examples  of  PTIrformulas  that  are  commonly  used  for  the  specification  of  reactive 
systems. 
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Invariance  and  response  properties 

Two  of  the  most  important  classes  of  qualitative  (imtimed)  properties  of  reactive  systems 
are  invariance  and  response  properties. 

•  An  invarianee  property  asserts  that,  once  triggered,  a  certain  condition  will  hold 
forever;  it  is  often  used  to  specify  that  something  will  never  happen.  A  typical  appli¬ 
cation  of  invariance  is  the  specification  of  mutual  exclusion:  no  two  processes  will  ever 
be  simultaneously  in  their  critical  sections.  Formally,  a  state  sequence  er  is  contained 
in  the  invariance  property  n°  C  rS5j  that  specifies  that  “no  p-state  is  followed  by  a 
q-state,  ever”  iff  for  all  t  >  0, 

if  (Ti  [=  p,  then  ffj  q  for  all  y  >  t. 

This  property  is  definable  in  PTL  by  the  formula 

□(p  Dig). 

•  A  response  property  asserts  that,  once  triggered,  a  certain  condition  will  become  true 
eventually.  A  t3rpical  application  of  response  is  the  specification  of  channel  reliability: 
once  a  message  is  sent,  it  will  eventually  be  received.  Formally,  a  state  sequence  c  is 
contained  in  the  response  property  C  TSS"  that  specifies  that  “every  p-state  is 
followed  by  a  g-state,  eventually”  iff  for  all  t  >  0, 

if  (Tj  1=  p,  then  N  9  3  ^  *• 

This  property  is  definable  in  PTL  by  the  formula 

D(p  -*  Og). 

Note  that  every  invariance  property  is  an  (untimed)  safety  property  and  every  response 
property  is  a  liveness  property. 

3.1.2  Bounded  invariance  and  bounded  response 

Not  surprisingly,  two  of  the  most  important  classes  of  quantitative  timing  requirements  of 
reactive  systems  are  time-bounded  versions  of  invariance  and  response  properties. 
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•  A  boundcd-invariance  property  asserts  that,  once  triggered,  a  condition  will  hold 
continuously  for  a  certain  amount  of  time;  it  is  often  used  to  specify  that  something 
will  not  happen  for  a  certain  amount  of  time.  A  typical  application  of  bounded 
invariance  is  the  specification  of  best-case  performance;  that  is,  the  specification  of  a 
lower  bound  /  on  the  termination  of  a  system  5:  if  started  at  time  t,  then  5  will  not 
reach  a  final  state  before  time  t  +  l. 

Given  two  boolean  conditions  p  and  q  on  states  and  1  6  N,  we  let  11°  C  755"  stand 
for  the  bounded-invariance  property  that  specifies  that  “no  p-state  is  followed  by  a 
9-state  within  less  than  /  time  units”  (a  boolean  condition  on  states  may,  for  example, 
be  any  boolean  combination  of  propositions).  Formally,  the  timed  state  sequence 
P—  ^  contained  in  the  bounded-invariance  property  n°  iff  for  all  t  >  0, 

N  Pi  (Tj  9  for  all  j  >  t  with  Tj  <  T,-  + 1. 

•  A  bounded-response  property  asserts  that  something  will  happen  within  a  certain 
amount  of  time.  A  typical  application  of  bounded  response  is  the  specification  of 
worst-case  performance;  that  is,  the  specification  of  an  upper  bound  ti  on  the  termi¬ 
nation  of  a  system  5:  if  started  at  time  t,  then  5  is  guaranteed  to  reach  a  final  state 
no  later  than  at  time  t  -I-  tt. 

Given  two  boolean  conditions  p  and  q  on  states  and  «  €  N,  we  let  C  755"  stand 
for  the  bounded-response  property  that  specifies  that  “every  p-state  is  followed  by  a  q- 
state  within  tt  time  units.”  Formally,  the  timed  state  sequence  p  =  (ff,T)  is  contained 
in  the  bounded-response  property  iff  for  all  s'  >  0, 

f=  P.  tfien  ^3  t=  ?  3  >  *  with  T,-  <  Ti  -I-  u. 

Both  bounded  invariance  and  bounded  response  are  (real-time)  safety  properties.  The 
coxyunction  of  the  bounded-invariance  property  n°  and  the  bounded-response  property 
with  the  same  time  bound  S  asserts  that  “the  distance  between  a  p-state  and  the  first 
subsequent  9-state  is  always  exactly  6  tiniP  units.” 

Let  us  add  two  iiiq>ortant  remarks  about  bounded-invariance  and  bounded-response 
properties.  First,  recall  that  Proposition  1.10  affirms  that  digital  verification  methods  can 
be  used  for  establishing  analog  properties  that  are  inversely  closed  under  digitization.  We 
show  that  both  bounded-invariance  and  bounded-response  properties  satisfy  this  critericm. 
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This  result  is  crucial  to  our  entire  approach,  because  we  will  introduce  real-time  logics 
•  for  which  we  give,  on  one  hand,  verification  techniques  in  the  digital-clock  model  and, 

on  the  other  hand,  show  that  verification  in  the  analog-clock  model  is  undecidable.  The 
following  proposition  justifies  the  use  of  the  digital-clock  model  to  prove  that  all  real-time 
behaviors  of  a  reactive  system  satisfy  bounded-invariance  and  bounded-response  properties; 
it  guarantees  that  our  digital  methods  do  establish  the  desired  analog  properties. 

Proposition  3.1  (Digitizability)  All  bounddl-invariance  and  bounded-response  proper¬ 
ties  are  digitizable. 

Proof  of  Proposition  3.1  The  argument  resembles  exactly  the  proof  of  Proposition  2.3, 
which  shows  that  all  computations  of  a  timed  transition  system  are  digitizable.  This  is 
because  all  finite  lower-bound  requirements  of  a  timed  transition  system  are  bounded- 
invariance  properties,  and  all  finite  upper-bound  requirements  of  a  tuned  transition  system 
are  bounded-response  properties.  61 

Secondly,  Proposition  1.11  charactemes  the  real-time  properties  for  which  our  approach 
to  verification  is  complete:  it  requires  that  if  an  analog  property  n  contains  a  real-time 
behavior  p,  then  it  contains  also  the  stuttering  closure  of  p.  It  is  not  hard  to  see  that 
while  both  bounded-invariance  and  bounded-response  properties  generally  are  not  (weakly) 
closed  under  stuttering,  they  do  satisfy  the  criterion 

TiBehin^))  C  Hr 

of  Proposition  1.11.  Thus,  to  check  if  aH  real-time  behaviors  of  a  reactive  system  sat¬ 
isfy  a  boimded-invariance  or  a  bounded-response  requirement,  it  always  suffices  to  check 
containment  of  the  corresponding  analog  or  digital  properties. 

S.1.3  Real-time  temporal  logics 

»  We  wish  to  extend  PTL  so  that  bounded>in'variance  and  bounded-response  properties  can 

be  defined.  To  begin  with,  a  notational  extension  of  PTL  must  be  able  to  relate  the  times 
of  different  states.  The  obvious  solution  is  to  employ  a  first-order  temporal  logic  with  a 
state  variable  t  that  represents,  in  every  state,  the  time  of  the  state  (i.e.,  the  “current’* 
time).  The  bounded-invariance  property  nf  can  then  be  written  as 

Vx.  □((p  A  t  =  x)  — ♦  □(t  <  X  +  5  — ♦  ■’})).  (^5  ) 
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The  boimded-response  property  Ilf  can  be  defined  by  the  fonnxila 

Vx.  □((p  A  t  =  r)  0(g  A  t  <  x  +  1)).  (^f ) 

Note  that  in  both  cases  the  rigid  (global)  variable  x  is  used  to  record  the  time  of  any  jivstate. 
Let  V  =  {x,y,. . be  a  set  of  rigid  variables  that  range  over  the  time  domain  TIME.  By 
“real-time  temporal  logic”  we  refer  to  the  first-order  temporal  logic  over  the  propositions  P, 
the  state  variable  t,  and  the  rigid  variables  V  that  admits  an  unspecified  set  of  operations 
on  time  variables.  Our  terminology  follows  OstrofF,  who  has  called  this  logic  RTTL  [104] 
(essentially  the  same  logic  has  been  called  GCTL,  for  “global- dock  temporal  logic,”  by 
Pnueli  and  Hard  [110];  neither  reference  is  specific  about  the  kind  of  timing  constraints 
that  are  permitted). 

We  will  argue  that  this  upgrade  from  a  propositional  logic  to  its  full  first-order  version 
is  unnatural,  unnecessary,  and  prohibitivdy  expensive: 

Unnatural  We  claim  that  the  unconstrained  dassical  quantification  of  rigid  variables  al¬ 
lowed  m  “real-time  temporal  logic”  does  not  restrict  the  user  to  reasonable  and  read¬ 
able  specifications.  We  will  propose  a  novd,  restricted,  form  of  quantification  —  we 
call  it  frctzc  quantification  by  which  time  variables  cannot  be  bound  to  arbitrary 
times,  but,  in  any  temporal  context,  only  to  the  “current”  time.  This  restriction 
makes  the  presence  of  the  state  variable  t  superfluous.  Ereere  quantification  identi¬ 
fies,  so  we  will  argue,  predsdy  the  subdass  of  “natural,”  intended  specifications  and 
it  leads  to  a  concise  and  readable  notation. 

Unnecessary  We  will  show  that  the  restriction  of  dassical  quantification  to  freece  quan¬ 
tification  is  harmless:  it  does  not  limit  the  dass  real-time  properties  that  are  definable. 

Expensive  We  will  show  that  the  restriction  of  classical  quantification  to  freeze  quan¬ 
tification  is  essential:  while  the  dedsion  problem  for  “real-time  temporal  logic”  is 
nonelementary,  the  dedsion  problem  for  the  corresponding  logic  with  freeze  quantifi¬ 
cation  is  “only”  in  EXPSPACE. 

These  results  obviously  depend  on  the  operations  on  time  that  are  permitted  in  “real-time 
temporal  logic.”  Thus  we  shall  first  identify  the  maximal  theory  of  time  that  can  be  added 
to  PTL  without  sacrificing  its  deddability.  For  this  purpose,  we  will  study  dassical  theories 
of  timed  state  sequences.  The  most  expressiv  of  these  theories  that  is  deddable  will  be 


3.2.  TEE  CLASSICAL  THEORY  OF  TBIED  STATE  SEQUENCES  101 


called  “the”  classical  theory  of  timed  state  sequences.  We  wiU  use  its  expressive  power 
as  point  of  reference  for  determining  which  timing  constraints  can  be  safely  admitted  in 
“real-time  temporal  logic”  and  its  restriction  to  freeze  quantification,  which  wiD  be  called 
TPTL. 

Unfortunately,  the  addition  of  past  temporal  operators,  which  allow  more  natural  defi¬ 
nitions  of  certain  properties,  renders  TPTL  nonelementary.  This  handicap  of  TPTL  will 
induce  us  to  introduce  a  second  real-time  extension  of  PTL,  called  MTL,  which  contains 
no  time  variables  at  all  but,  instead,  refers  to  time  through  time-bounded  versions  of  the 
temporal  operators  (including  past  operators).  In  a  pleasing  analogy  to  the  untimed  case, 
we  will  be  able  to  show  that  both  TPTL  and  MTL  capture  expressively  conqslete,  elemen¬ 
tary,  and  finitely  axiomatizable  fragments  of  the  classical  theory  of  timed  state  sequences, 
which  is  nonelementary.  Even  though  both  languages  are  equally  expressive,  they  select 
orthogonal  fragments  of  the  classical  theory,  which  makes  it  easier  to  specify  some  real-time 
properties  in  TPTL  and  others  are  more  succinctly  defined  in  MTL.  Since  both  logics 
inherit  the  strong  theoretical  appeal  of  PTL,  the  untimed  verification  techniques  can  be 
generalized  cleanly  to  both  real-time  specification  languages. 


3.2  The  Classical  Theory  of  Timed  State  Sequences 


We  introduce  “the”  classical  theory  of  timed  state  sequences,  show  its  decidability,  and 
characterize  its  expressiveness  by  (irregular  sets.  We  claim  that  this  theory  of  timed  state 
sequences  is  indeed  the  theory  for  reasoning  about  finite-state  real-time  systems.  This  is 
because  all  conceivable  extensions  and  variations,  syntactic  or  semantical,  will  be  shown  to 
be  highly  undeddable  (Ill-hard)  theories. 


3.2.1  The  classical  theory  of  state  sequences 

First,  we  recapitulate  briefly  why  the  theory  of  the  natural  muabers  with  linear  order  and 
monadic  predicates  underlies  propositional  linear-time  temporal  logics.  We  also  take  this 
opportunity  to  survey  some  important  results  about  the  complexity  and  e]q>ressive  power 
of  PTL. 


S' 
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Syntax  and  semantics 

Let  £*  be  the  second-order  language  with  unarj’  predicate  symbols  and  the  binary  predicate 
symbol  < ,  and  let  C  be  its  first-order  fragment.  We  interpret  £*  over  the  natural  numhers  N, 
with  <  being  interpreted  as  the  usual  linear  order.  Throughout  we  consider  only  formulas 
that  contain  no  free  individual  variables.  Thus,  given  a  formula  of  with  the  free 
predicate  83mbob pi, . . .p„,  an  interpretation  7  for  ^  specifies  the  sets  p{,. . .p^  C  N.  Such 
an  interpretation  can  be  viewed  as  an  infinite  sequence  (r  of  states  Vi  C  {pi,.  ..pn}!  for 
I  >  0  (let  Pit  €  ffi  iff  t  6  pI).  We  denote  the  set  of  state  sequences  that  satisfy  ^  by  ni(<^) 
or  simply  n(^);  hence  every  £*-formula  ^  defines  the  untimed  property  n(^)  C  TSS". 

Observe  that  £*  is  essentially  the  language  underl3mg  the  theory  SIS,  the  second-order 
theory  of  the  natural  numbers  with  successor  and  monadic  predicates.  This  is  because,  in 
SlS,  the  order  predicate  <  can  be  defined  from  the  successor  function  using  second-order 
quantification  (and  vice  versa).  Buchi  established  a  close  cozmection  of  the  theory  SlS  with 
finite  automata  over  infinite  sequences  [21]  and  used  this  relationship  to  show  that  SlS  is 
decidable  [22]. 

Complexity  and  expressiveness 

Formulas  of  the  propositional  linear  temporal  logic  PTL  can  be  faithfully  translated  into 
C,  by  replacing  propositions  with  monadic  predicates.  For  example,  the  response  property 
that  is  expressed  in  PTL  by  the  formula 

0(p  -f  Oj) 

can  be  'written  in  £  as 

v».(p(t)  5i>s.j(y)). 

without  changing  the  set  of  models;  that  is,  ni(^^)  s  n^. 

Although  PTL  corresponds  to  a  proper  subset  of  C,  it  has  the  full  expressive  power 
of  C  [40,  68]:  that  is,  for  every  £>formula  there  is  a  PTL-formula  that  defines  the  same 
property  of  state  sequences.  Furthermore,  the  decision  problem  for  £  is  nonelementary  [121], 
whereas  PTL  is  oidy  PSPACE-complete  [119]  and  has  a  singly  exponential  decision  proce¬ 
dure  [18].  To  attain  the  greater  expressive  power  of  £*,  PTL  may  be  strengthened  by  the 
addition  of  operators  that  correspond  to  right-linear  grammars  [130].  The  resulting  logic. 
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extended  temporal  logic  (ETL),  has  the  expressive  power  of  £*  aud,  like  PTL,  still  a  singly 
exponential  decision  procedure  (these  and  more  results  about  PTL  are  surveyed  in  [35]). 

The  expressiveness  of  can  also  be  characterized  by  w-regular  expressions  [95]:  for  any 
formula  ^  of  £*,  the  set  ni(^)  can  be  defined  by  an  w-regular  expression  over  the  alphabet 
For  example,  ni(^^)  is  described  by  the  expression 

({p.  ?}  +  {?}  +  {}  +  (M:  ({p.  ?}  +  {?})))"• 

The  restricted  expressive  power  of  £  corresponds  to  the  star-free  fragment  of  w-regular 
expressions,  in  which  the  Kleene  star  may  be  applied  only  to  the  expression  true  [96, 122] 
(for  an  excellent  survey  of  these  amd  related  results  about  regular  sets  of  infinite  sequences, 
see  [123]). 

3.2.2  Adding  time  to  state  sequences 

To  obtain  a  theory  of  timed  state  sequences,  we  need  to  identify  a  suitable  time  domain 
TIME,  with  appropriate  primitives,  and  couple  the  theory  of  state  sequences  with  this 
theory  of  time  through  a  unary  ( “time”)  function  /,  which  associates  a  time  with  every  state. 
We  choose,  as  the  theory  of  time,  the  theory  of  the  natural  numbers  (i.e.,  TIME  =  N)  with 
linear-order  and  congruence  primitives.  Since  time  cannot  decrease  and  cannot  stagnate, 
we  require  that  /  be  monotonic  and  unboimded.  We  will  have  an  opportunity  to  justify 
these  decisions  later. 

Let  £|<  be  a  second-order  language  with  two  sorts,  namely  a  state  sort  and  a  time  sort. 
The  vocabulary  of  Cx  consists  of  unary  predicate  symbols  and  the  binary  predicate  symbol 
<  over  the  state  sort,  the  unary  function  symbol  /  from  the  state  sort  into  the  time  sort, 
and  the  binary  predicate  symbols  <,  Si,s3,...  over  the  time  sort.  By  Ct  we  denote  the 
first-order  fragment  of  £|>.  We  restrict  our  attention  to  structures  that  choose  the  set  of 
natural  nuinbers  N  as  domain  for  both  sorts,  and  interpret  the  primitives  in  the  intended 
way  (the  predicate  symbols  =«  are  interpreted  as  congruence  relations  modulo  e  >  1).  Thus, 
given  a  formula  ^  of  £2<  with  the  free  predicate  symbols  pi, . .  .pn,  an  interpretation  J  for  ^ 
specifies  the  sets  p(> .  •  -  Fn  £  *  monotonic  and  unbounded  function  f^:U  TIME. 

The  satisfaction  relation  is  defined  as  usual.  Every  interpretation  1  for  4  can  be  viewed 
as  an  infinite  timed  state  sequence  (er,T)  over  N  (choose  as  in  the  untimed  case,  and  let 
T{  =  /^(t)  for  all  t  €  N).  We  denote  the  set  of  timed  state  sequences  over  N  that  satisfy  ^ 
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(i.e.,  the  models  of  ^)  by  nf^(<;^)  or  simply  n(<^).  As  is  standard,  we  oftea  write  /  ^  for 

/€n(<^). 

It  fellows  that  £  j-fonmilas  specify  sets  of  digitally  timed  state  sequences;  the  formula  ^ 
defines  the  digital  property  n(^)  C  r55j^.  For  example,  the  bounded-invariance  requL'e- 
ment  Ilf  —  that  “no  p-statc  is  followed  by  a  j-state  within  less  than  5  time  units’^  —  can 
be  specified  by  a  formula  of  £r: 

Vt.  (p(t)  -  V;  >  »\  (/(;)  <  f(i)  +  5  -  ^g(j)))  (^f ) 

(note  that  the  successor  functions,  over  cither  sort,  are  definable  in  £r);  the  bounded- 
response  requirement  Ilf  —  that  “every  p-state  is  followed  by  a  {-state  within  1  time  unit” 
—  is  definable  by  the  £j'-fonnula 

Vi.  (P(i)  -  3;  >  i.  ({(i)  A  /(;)  <  f(i)  +  1)).  {^f ) 

An  £j-fornmla  ^  is  satisfiable  (valid)  iff  it  is  satisfied  by  some  (every)  timed  state 
sequence  over  N.  The  (second-order)  theory  of  timed  state  seguences  is  the  set  of  aU  valid 
sentences  of  We  prove  it  to  be  decidable. 

3,2.3  Decidability  and  expressibility 

First  we  show  that,  given  an  interpretation  I  for  an  £j-formula  the  information  in 
essential  for  determining  the  truth  of  ^  has  finite-state  character. 

Finite*8tate  character  of  time 

Let  us  consider  the  sample  formula  ^f  again.  A  timed  state  sequence  for  4^  specifies,  for 
every  state,  the  truth  values  of  the  predicates  p  and  {,  and  the  value  of  the  time  function. 
Since  /  is  interpreted  as  a  monotonic  function,  it  can  be  viewed  as  a  state  variable  dt  that 
records,  in  every  state,  the  increase  in  time  from  the  previous  state.  Although  dt  ranges 
over  the  infinite  domain  N,  observe  that  if  the  time  increases  by  more  than  1  from  a  state 
to  its  successor,  then  the  actual  value  of  the  increase  is  of  no  relevance  to  the  truth  of  the 
formula  ^f . 

Consequently,  to  determine  the  truth  of  ^f ,  the  state  variable  dt  can  be  modeled  using 
a  finite  number  of  unary  time-difference  predicates.  We  employ  the  three  new  predicates 
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Prero,  Previ,  and  Prev'^2  ^^6  following  way:  Prcvo  is  true  of  a  state  iff  the  time  increase 
from  the  previous  state  is  0,  Previ  is  true  iff  it  is  1,  and  Prer>2  is  true  iff  it  is  greater 
than  1.  Accordingly,  we  define  the  notion  of  an  extended  state  sequence  for  ,  as  a  state 
sequence  ovu  the  propositions  p,  g,  Prevo,  Prcvi,  and  Prevy^  such  that  precisely  one  of 
the  propositions  Pret^o,  Pt^^vu  and  Prer>2  is  true  in  any  state. 

Given  an  extended  state  sequence,  we  can  recover  a  corresponding  timed  state  sequence: 
the  value  of  the  time  function  in  any  Prev^-state  and  Prer>^-state  is  obtained  by  adding  6 
to  its  value  in  the  previous  state  (if  Prevs  or  PTev>$  holds  in  the  first  state,  let  S  be  its 
time).  This  establishes  a  many-to-one  correspondence  between  the  timed  and  the  extended 
state  sequences  for  ;  it  induces  an  equivalence  relation  on  the  set  of  all  interpretations  for 

such  that  the  truth  of  is  invariant  within  any  equivalence  class.  Every  equivalence 
class  is,  furthermore,  definable  by  a  finite  number  of  predicates. 

For  formulas  with  congruence  primitives,  we  need  to  introduce,  apart  from  time-diffe¬ 
rence  predicates,  also  imary  time-congmence  predicates,  to  keep  track  of  the  congruence 
class  of  the  time  value  of  every  state.  For  example,  consider  the  following  formula  tfr,  which 
states  that  “p  is  true  in  every  state  with  an  even  time  value”: 

V»  (/(t)5*0  ^  p(*)). 

Given  an  interpretation  I  for  the  information  in  can  be  captured  by  the  two  predicates 
Cong2^o  predicate  states  with  even  time,  and  Con^24 

is  true  for  states  with  odd  time. 

Now  we  formalize  this  idea.  Let  c{(p)  be  the  least  common  multiple  of  the  set 

{c  I  occurs  in 

and  d(^)  the  product  of  c(^)  and  4^,  where  Q  is  the  number  of  time  quantifiers  (i.e., 
quantifiers  over  variables  of  the  time  sort)  occurring  in  Given  a  formula  ^  of  with 
the  free  predicate  sjrmbols  pi,...pn,  an  extended  state  sequence  J  Jbr  <f>  specifies  the  sets 
Pi  I  •  •  *  S  M »  partition  of  N  intu  the  sets  Previn . . .  Prer^^^^j,  and  another  partition  of  N 
into  the  sets  interpretation  I  for  the  extended 

state  sequence  J  underlying  I  is  defined  as  follows: 


•  J  agrees  with  /  on  pi, . .  .pn- 
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•  For  all  i  >  0  and  0  <  ^  <  d{4>),  i  G  Pncr/  iff  f^{i)  =  f^{i  -  1)  -r 

•  For  all  i  >  0,  t  €  P^i.d{^)  iff  /^(i)  ^  /^(*  ”  ^)  +  d{4>). 

•  For  all  t  >  0  and  0  <  ^  <  e{4>),  i  €  Cong^^^  f  iff  f^{i)  6. 

Throughout  we  use  the  convention  that  /^(— 1)  =  0  for  every  interpretation  I. 

Lemma  3.1  (Finite-state  character  of  time)  Given  a  formula  ^  of  and  two  in¬ 
terpretations  I  and  J  for  d>  voith  the  same  underlying  extended  state  sequence,  I  j=  ^  iff 

J  hi¬ 
proof  of  Lemma  3.1  Consider  two  interpretations  I  and  J  for  the  £|-formula  ^  that  have 
the  same  imderlying  extended  state  sequence;  that  is,  /  and  J  agree  on  the  free  predicate 
symbob  of  4>,  and  for  each  i  >  0,  /^(t)  and  belong  to  the  same  congruence  class 
modulo  c(^),  and  either  f^{i)  —  f^{i  —  1)  is  the  same  as  f^{i)  —  f^{i  —  1),  or  both  are  at 
least  d{<f>). 

We  use  induction  on  the  structure  of  ^  to  prove  our  claim.  To  handle  subformulas  with 
free  variables  properly,  we  need  to  strengthen  our  assumptions  about  the  equivalence  of 
interpretations  with  respect  to  a  formula.  Let  be  a  subformnla  of  possibly  with  free 
variables.  Let  d{ip)  be  the  product  of  e{<p)  and  where  Q  b  the  number  of  time  variables 
bound  in  rf.  For  ease  of  presentation,  we  represent  the  function  /  by  the  countable  set  of 
variables  {/<  |  i  >  0}:  for  any  interpretation  /,  let  //  =  By  Trar(t&)  we  denote 

the  union  of  the  set  of  free  time  variables  of  xp  with  {/i  |  s‘  >  0}.  We  say  that  two 
interpretations  I'  and  J'  for  ^  are  equivalent  with  respect  to  iff  they  satisfy  the  following 
conditions: 

•  For  every  predicate  symbol  q  free  in 

•  For  every  state  variable  i  free  in  xl>,  . 

•  For  an  i,y  €  Tvar[xjj),  <  y^'  iff  x^'  <  y^'. 

•  For  every  z, y  €  rvar(^),  if  0  <  -  y^  <  d{xp),  then  x*''  -  jr^'  =  x^'  -  y^,  and  vice 

versa. 


•  For  every  x  €  Tvar{rl;),  x^*  Se(«) 
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Clearly,  the  given  two  interpretations  I  and  J  are  equivalent  with  respect  to  the  given 
formula  (p.  Thus,  it  suffices  to  show  that,  for  any  subformula  ip  of  (p  and  equivalent  inter¬ 
pretations  r  and  J'  for  ip,  T  \=:ip  implies  |=  ip.  We  do  so  by  induction  on  the  structure 
of  (p. 

The  interpretations  P  and  P  agree  on  the  assignment  to  predicate  symbols  and  state 
variables  of  ip.  They  may  assign  different  values  to  the  elements  in  Tvar{ip),  but  they  agree 
on  their  ordering  and  modulo-c(<^)  congruence  classes.  Clearly,  if  ^  is  an  atomic  formula, 
then  7'  t=  ^  iff  1= 

The  case  of  boolean  connectives  is  straightforward. 

Suppose  that  ^  is  of  the  form  3p,ip\  for  a  predicate  symbol  p,  and  that  7'  ^  Let 
be  an  extension  of  P  such  that  7"  1=  ip\  Prom  the  inductive  hypothesis,  the  extension  of  P 
that  assigns  the  set  to  p  is  a  model  of  ip*.  Hence,  P  ip.  The  case  that  ip  is  of  the 
form  Vp.  Ip*  is  similar. 

If  the  outermost  operator  of  ^  is  a  quantifier  for  a  state  variable,  then  we  can  proceed 
as  in  the  previous  case. 

Now  consider  the  case  that  ip  is  of  the  form  3x,ip*,  for  a  time  variable  x.  Suppose  that 
I*  [=  Ip,  Let  P*  be  an  extension  of  I*  such  that  P*  First  note  that  d{ip*)  =  c(^) « 4^“^. 
We  extend  J*  to  an  interpretation  P*  for  ip*  in  the  following  way:  if  for  some  y  €  rtar(^), 
\y^  —  2^" I  <  d{ip*),  then  choose  x^”  to  be  y^*  +  —  y^\  Otherwise,  let  €  rvar(V^) 

be  such  that  <  x^*  <  pj  .  Note  that  yi*  —  Vi  ^  1®^^  ^nd  hence,  so  is 

We  choose  between  yf'  and  yf'  at  a  distance  at  least  d{ip*)  from  either  of 
them.  Furthermore,  since  the  difference  between  d{ip)  and  2d{ip*)  is  at  least  c(^),  we  can 
require  the  modulo- c(^)  congruence  class  of  to  be  the  same  as  that  of  x^  .  Now  P* 
and  P*  satisfy  the  requirements  listed  above.  Using  the  inductive  hypothesis,  P*  |=  rp*,  and 
hence,  P  [=  ip.  The  case  of  universal  quantification  is  similar.  B 

It  follows  that  the  extended  state  sequence  that  underlies  a  given  interpretation  for  an 
£|.-fonnula  ^  has  enough  information  for  deciding  the  truth  of  ip.  Consequently,  every 
formula  ip  can  be  viewed  as  characterizing  a  set  IIi(^}  of  extended  state  sequences,  instead 
of  the  set  Ilfi{<p)  of  timed  state  sequences.  We  say  that  the  set 

ni(^)  =  {7  1  J  underlies  some  7  €  11^(0)} 


contains  the  untimed  models  of 
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Reguliir  nature  of  the  time  primitives 


Our  nest  task  is  to  show  that  untimed  property  ni(^)  is  u>-regular  for  every  iCj-formula 
This  is  achieved  by  constructing  a  formula  in  the  language  that  defines  the  same  set 
of  extended  state  sequences.  For  instance,  the  untimed  models  of  the  £r-fonrmla  <^f  are 
exactly  the  modek  of  the  £-formula 


Vt. 


Vi.  {i  <k  <  3  -*  Prevo(k))  V 
^  *  <  i  <  j  A  Pret)i(i)  A 

Vi'  #  i.  f  *  ^  ^ 

I  I  Pret;o(ifc') 


A  generalisation  of  this  construction  leads  to  the  following  theorem. 


Theorem  3.1  (Regular  nature  of  the  time  primitives)  For  every  formula  (p  of 
there  exists  a  formula  tp  of  that  contains  the  additional  time-difference  predicates  Prevo, 
Previ,  . . .  and  the  time-congruence  predicates  Cong^^^  Q,  . , .  Cong^^^  ^^y^,  such 

that  =  n(V^).  Furthermore,  if  4>  ^  Cp  then  tp  £  C. 


Proof  of  Theorem  3.1  Given  an  £2’-forniula  <p,  we  construct  an  equivalent  (with  respect 
to  extended  state  sequences)  £^-formula  rp  in  four  steps. 

First,  we  eliminate  all  time  quantifiers.  Let  /  be  an  interpretation  for  (p,  and  let 
A  =  d{fp)  +  c{<p).  We  can  easily  find  an  interpretation  J  with  the  same  underlying  extended 
state  sequence,  such  that  /-^(t)  <  f^{i  -  1)  +  A  for  all  t  >  0.  By  Lemma  3.1,  we  know 
that  J  1=  ^  iff  /  1=  Based  on  this  observation  we  perform  the  following  transformation: 
a  subfonnula  3y,rp(y),  where  y  is  a  time  variable,  is  replaced  by  the  disjunction 

VV'W  V  3iy.y^if{iy)  +  8), 

tsO  <sO 

for  a  new  state  variable  iy.  Let  be  the  formula  obtained  from  ^  by  applying  the  above 
transformation  repeatedly  untD  there  are  no  time  quantifiers  left;  clearly  ni(^)  =  ni(^'). 

The  second  step,  resulting  in  <f>",  modek  the  primitive  time  arithmetic  of  comparisons 
and  addition  by  constants  by  the  time-difference  predicates.  For  instance,  consider  the 
subformula  /(»)  +  1  <  /(;),  for  state  variables  t  and  j.  Intuitively,  for  /(t)  to  be  less 
than  /(y)  in  any  interpretation,  state  t  has  to  precede  state  j,  and  the  time  increase  from 
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the  previous  state  has  to  be  positive  for  some  intermediate  state.  Hence,  we  replace  the 
subformula  by 

i  <3  A  3k. {i  <k  <j  A  iPrevoC^))- 

Similarly,  /(t)  <  f{j)  smd  /(»)  <  f{j)  + 1  can  be  replaced  by  the  two  formulas 

Vi:.(j  <  i  <  t  Prcvoik)),  {<h) 

^  V  3ifc.(j  <  ib  <  i  A  Previ{k)  A  Vfc'  ^  *.(;  <  i'  <  i  Prct;o(i0))> 

respectively.  The  generalization  of  this  technique  to  subformulas  of  the  forms  f{i)  +  e  <  f{j) 
f{i)  <  f{j)  -1-  c,  for  arbitrary  c>  1,  is  straightforward. 

In  a  third  step,  we  model  the  congruence  primitives  of  with  the  help  of  the  time- 
congruence  predicates.  Consider  a  subfonnula  of  the  form  /(t)  +  c  /(j)*  Since  there  is 
only  a  finite  number  of  modulo-c(^)  congruence  classes  to  which  /(i)  and  /(/)  can  belong, 
we  can  use  a  case  analysis  to  express  this  relationship.  We  replace  the  subformula  by 
d  c(i^)/d  <4>)/d 

/\  (  y  Conffe(^),(fc+dk')  mod  e(^)(»)  V  (*+£+<»')  mod  e(*)(i))- 

fc=l  *'=1  fc'=l 

Subformulas  of  the  form  f{i)  e  can  be  handled  similarly. 

Let  (f)'"  be  the  formula  resTilting  from  eliminating  all  time  primitives  in  the  described 
way.  The  desired  £*-formula  xp  is  obtained  by  adding,  to  the  following  conjuncts; 

•  Exactly  one  of  the  time-difference  predicates  Prevo,  ...Prev>i(^)  is  true  for  every 
state  t  >  0. 

•  Exactly  one  of  the  time-congruence  predicates  Congg^^yo,  . . .  Con5e(*).e(*)-i  «  tree 
for  every  state  t  >  0. 

•  For  ah  «  >  0,  the  congraence  classes  of  t  and  t  -I- 1,  and  the  time  jump  f(i  4- 1)  -  /(i) 
axe  rdated  in  a  consistent  fashion: 

Vt.  +  A  Congg^^,y{i)  ^ 

fc'=0  \  <^0»»9e(«),(fc'+t)  mod  e(*)(*  +  1) 

■ 

This  theorem,  combined  with  the  earlier  stated  facts  about  £^,  gives  the  following 
important  results  regarding  the  decidability  and  expressiveness  of  the  theory  of  timed  state 
sequences. 
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Corollary  3.1  (Decidability)  The  validiiy  problem  of  the  language  is  decidable. 

Clearly,  the  validity  problem  is  nonelsmentary  even  for  the  first-order  language  £7,  as  £ 
is  a  fragment  of  £7  (recall  that  Stockmeyer  showed  £  to  be  nonelementary  [121]),  We  point 
out  that  the  requirement  that  the  time  function  /  be  unbounded,  '•^r^esponds  to  the 
progress  condition  on  timed  state  sequences,  has  not  been  used  to  obtain  the  decidability 
result  for  the  language  it  follows  that  the  validity  problem  of  is  solvable  even  if 
£7  is  interpreted  over  arbitrary  monotonic  sequences  of  observations.  The  monoionicity 
requirement  on  time,  on  the  other  hand,  will  be  shown  to  be  essential  for  £7  to  be  decidable. 

Corollary  3.2  (Expressiveness)  Given  a  formula  <j>  of  with  the  free  predicate  symbols 
Pi>  •  •  -  Pfi;  the  set  ni(^)  can  be  characterized  by  an  w^regular  expression  over  the  alphabet 

Furthermore^  if  (f>  £  £7,  then  Ili{d>)  can  be  defined  by  a  star-free  uf -regular  expression. 


3.3  Timed  Temporal  Logic 

In  this  section,  we  introduce  a  novel  extension  of  PTL  that  is  interpreted  over  timed  state 
sequences:  timed  propositional  temporal  logic  (TPTL).  We  compare  the  digital  properties 
that  are  expressible  in  TPTL  with  those  that  are  expressible  in  the  classical  language  £j. 
TPTL  is  shown  to  correspond  to  an  expressively  complete  fragment  of  £7;  that  is,  the  set 
of  models  of  any  £7-formula  can  be  defined  by  a  TPTL-formula.  Later,  in  Chapter  4,  we 
will  show  that  TPTL  is,  in  fact,  much  cheaper  to  decide  (doubly  exponential)  than  the  full 
first-order  theory  of  timed  state  sequences  (nonelementary).  Both  results  are  important  as 
they  establish  TPTL  as 

1.  a  sufficiently  expressive  real-time  specification  language  and 

2.  a  suitable  formalism  for  the  algorithmic  verification  of  finite-state  real-time  systems. 

It  follows  that  the  gains  in  complexity  in  moving  from  a  classical  theory  to  temporal  logic 
are,  as  in  the  imtimed  case,  not  achieved  at  the  cost  of  expressive  power. 
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We  also  try  to  extend  TPTL  in  many  possible  ways.  Some  of  these  extensions,  including 
“real-time  temporal  logic,”  correspond  to  larger  fragments  of  £t  and,  therefore,  are  still 
decidable.  However,  they  turn  out  to  be  nonelementary,  thus  affirming  our  choice  of  TPTL 
as  verification  formalism.  Several  more  daring  generalizations  of  TPTL  will  be  shown  to 
be  even  highly  undecidable.  TPTL  can,  on  the  other  hand,  be  extended  to  attain  the  full 
expressiveness  of  the  second-order  language  at  no  cost  in  complexity. 

3.3.1  Syntax  and  semantics 

TPTL  is  obtained  from  PTL  by  adding  variables  that  refer  explicitly  to  time.  A  time 
variable  x  can  be  bound  by  a  freeze  quantifier  “x.”  that  “freezes”  x  to  the  “current”  time. 
Let  ^(i)  be  a  formula  in  which  the  variable  x  may  occur  free.  Then  x.  ^(x)  is  satisfied 
by  the  timed  state  sequence  p  =  (CjT)  iff  ^(To)  is  satisfied  by  p  (the  formula  ^(To)  is 
obtained  from  ^(x)  by  replacing  aU  free  occurrences  of  the  variable  x  by  the  constant  To). 
Fct  example,  in  the  formula  Ox.  ^(x),  the  time  reference  x  is  boimd  to  the  time  of  the  state 
at  which  ^  is  “eventually”  true:  it  specifies  that  ^(Ti)  is  true  of  some  suffix  p‘  of  a  timed 
state  sequence  p  =  (<r,  T).  Similarly,  the  formula  Dx.  ^(x)  asserts  that  ^(Tf)  is  true  of  every 
suffix  p*  of  p. 

This  extension  of  PTL  with  explicit  references  to  the  times  of  states  admits  the  ex¬ 
pression  of  timing  constraints  by  atomic  formulas  that  relate  the  times  of  different  states. 
The  formulas  of  TPTL  are  built  from  propositions  and  timing  constraints  by  boolean  con¬ 
nectives,  tenqioral  operators,  and  freeze  quantifiers.  For  instance,  the  bounded-invariance 
requirement  11°  —  that  “no  p-state  is  followed  by  a  q-state  within  less  than  5  time  units” 
—  can  be  stated  in  TPTL  as 

Qx.(p  -»  Dp.(y<x-b5  -♦  -ij));  (^°) 

the  bounded-response  requirement  Ilf  —  that  “every  p-state  is  followed  by  a  f-state  within  1 
time  unit”  —  is  definable  by  the  formula 

□x.(p  -»  <0y.(q  A  y  <  x-i-1)).  (^f) 

(Read  this  formula  as  “Whenever  there  is  a  request  p,  and  the  variable  x  is  frozen  to  the 
current  time,  the  request  is  followed  by  a  response  q,  at  time  y,  such  that  y  is  at  most 
x-b5.”) 
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Syntax  of  TPTL 

Given  a  set  P  of  proposition  symbols  and  a  set  V  of  (time)  variables,  the  terms  ir  and 
formulas  4>  of  TPTL  are  inductively  defined  as  follows: 

X  :=  a:  +  c  I  c 

^  :=  p  I  Xi  <  X2  I  Xi  xj  I  false  |^-♦^| 

for  £  €  y,  p  €  P,  c,  d  €  N,  and  d  ^  0.  If  all  terms  in  a  formula  ^  of  TPTL  contain  variables, 
we  say  that  ^  contains  no  absolute  time  references.  The  abbreviations  *  (for  z  +  0),  =,  <, 
>>  true,  A,  V,  and  are  defined  as  usual.  Additional  temporal  c^erators  are  defined 
in  terms  of  the  given  next  and  until  operators  as  in  PTL: 

EventuaUy  04>  stands  for  trueU4>. 

Always  stands  for  false  or,  equivalently, 

Unless  ^  U  ^  stands  for  ^  V  . 

Note  that  the  timing  constraints  of  TPTL  allow  only  the  addition  of  integer  constants 
to  time  variables,  not  the  addition  (or  any  other  binary  operation)  of  variables,  from  a 
logical  point  of  view,  this  restriction  limits  us  to  the  successor  operation  on  time;  we  will 
have  a  chance  to  justify  it  later.  We  have,  on  the  other  hand,  not  defined  TPTL-terms 
by  a  unary  successor  operator,  because  for  determining  the  length  of  a  TPTL*fotmula,  we 
assume  that  aU  constants  are  given  in  a  reasonably  succinct  (e.g.,  binary)  encoding.  The 
size  of  a  formula  will  be  important  for  locating  the  computational  complexity  of  problems 
whose  input  includes  formulas  of  TPTL. 

Semantics  of  TPTL 

The  formulas  of  TPTL  are  interpreted  over  timed  state  sequences.  Let  p  =  (cr,T)  be  a  timed 
state  sequence  and  S :  V  TIME  be  an  interpretation  (environment)  for  the  variables. 
The  pair  {p,S)  satisfies  the  TPTL-formula  p\=s  where  the  satisfaction  relation  (= 
is  inductively  defined  as  follows  for  all  t  >  0: 


P*  N  P  iff  P  €  Ci. 
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P*  N  iff  ^ 

p*  |=£  Xi  ~d  Xi  iff  ^(ti)  Hrf 
p*  Y=-£  faise. 

^  ^  iff  />•  |=£  ^  implies  p'  \=s  <h- 

P'  N  0^  iff  N  ^• 

p‘  ^  iff  p'  l=f  ^  for  some  j  >  »,  and  p*  f=£  ^  for  all  *  <  fc  <  j. 
p*|=£®.^  iff  p‘ K[»:=Ti) 

Here  €{z  +  c)  =  5(x)  +  c  and  5(c)  =  c.  Moreover,  B[z  :=  t]  denotes  the  environment  that 
agrees  with  C:V  -*  TIME  on  all  variables  except  *,  which  is  mapped  to  t  €  TIME.  Note 
that  although  our  definition  of  syntax  and  semantics  of  TPTL  is  independent  of  the  clock 
model,  in  the  analog-clock  model  congruence  relations  are  not  meaningful,  and  therefore 
not  permitted. 

A  TPTL-formula  ^  is  saiisfiable  (valid)  iff  p  ^or  some  (every)  timed  state  se¬ 
quence  p  and  some  (every)  environment  £.  The  truth  value  of  a  closed  formula,  which 
contains  no  free  variables,  is  completely  determined  by  a  timed  state  sequence  alone.  We 
say  that  the  timed  state  sequence  p  is  a  model  of  the  closed  formula  and  write  p  ]=  ^,  iff 
the  pair  (p,  €)  satisfies  ^  for  any  environment  £.  As  usual,  two  closed  formulas  are  called 
eqttivaleni  iff  they  have  the  same  models. 

Henceforth,  we  shall  consider  only  closed  formulas  of  TPTL:  whenever  we  refer  to  a 
TPTL-formula  4>,  we  assume  that  ^  contains  no  free  variables.  Thus  every  TPTL-formula  ^ 
defines,  in  the  analog-dock  model,  an  analog  property  np(^)  C  755^;  in  the  digital-dock 
modd,  a  digital  property  nn)(^)  C  TSSjJ;  in  the  untimed  model,  an  untimed  property 
ni(^)  C  TSS^: 

peU(4>)  iff  pN« 

for  all  p  G  rSS".  If  we  omit  the  parameter  TIME,  we  refer,  by  default,  to  the  digiid-dodk 
modd:  stated  otherwise,  the  models  of  a  TPTL-formula  are  taken  to  be  timed  state 

sequences  over  N.  This  dedsion  will  also  be  justified  later. 

Observe  that  every  TPTL-formula  ip  without  freeze  quantifiers  specifies  a  time-invariant 
property  and  can  be  read  as  a  formula  ^  of  PTL.  Indeed,  TPTL  builds  conservativdy  on 
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the  semantics  of  PTL: 

n(^)-  =  ni(^)  =  n(v>). 

We  also  remark  that  TPTL  as  we  originally  defined  it  [10]  differs  syntactically  in  that  the 
freeze  quantifiers  were  coupled  with  the  temporal  operators.  The  coupling  does  not  restrict 
us  in  any  essential  way:  by  separating  the  quantifier  “z.”  from  the  temporal  operators,  we 
admit  more  formulas  (such  as  □(z.^  — »  x.ip)),  for  each  of  which  there  is  an  equivalent 
fonnula  in  which  every  quantifier  follows  a  temporal  operator  (□z.(^  -♦  rl>)).  However, 
when  we  study,  in  Chapter  5,  TPTL  as  a  modal  logic,  the  separation  of  quantifiers  from 
the  modal  operators  will  turn  out  to  be  useful. 


TPTL  as  a  specification  language 

Let  us  demonstrate  how  TPTL  improves  the  readability  of  real-time  specifications  by  re¬ 
placing  classical  quantification  with  freeze  quantification.  A  t3rpical  real-time  requirement 
for  a  reactive  system  is  that  a  switch  p  has  to  be  turned  off  (represented  by  the  proposi¬ 
tion  g)  within,  say,  10  time  units  of  its  activation.  In  TPTL  this  condition  can  be  expressed 
by  the  formula 

Oz. (p  -♦  pUy.{q  hy<x->r  10)).  (1) 

Using  “real-time  temporal  logic"  and  its  state  variable  t  that  assumes  the  value  of  the 
current  time  in  every  state,  this  specification  usually  is  written  as  follows  [104]: 

D((p  A  z  =  t)  -♦  pU  (qAjr  =  tAy<z-i- 10)).  (2) 

The  meaning  of  this  formula  depends,  not  surprisingly,  on  the  quantification  of  the  rigid 
time  variables  z  and  y,  which  is  left  implicit.  The  very  fact  that  the  quantification  is 
often  omitted  [104, 110]  suggests  that  the  authors  have  some  particular  quantifiers  for  rigid 
variables  in  mind,  whose  force,  location,  and  order  are  considered  to  be  so  obvious  that 
they  are  not  worth  mentioning.  Jf  any  quantifiers  are  given,  they  form  a  prefix  to  the  entire 
formula  [53]. 

We  claim  that  the  following  quantification  is  the  (only)  “intended”  one: 


DVz.((p  A  z  =  t)  -♦  pU3y.{q  A  y  =s  t  A  y  <  z-f  10)). 


(3) 
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Note  that  (3)  is  equivalent  to  (1),  but  not  to  (2)  with  any  quantifier  prefix.  In  particular, 
(3)  does  not  imply  the  stronger  condition 

Vx.  3y.  0((p  Ai  =  t)  -  pU(q  A  y  =  t  A  ]f<x  +  10)).  (4) 

The  difference  is  subtle:  while  the  formula  (3)  asserts  that  every  p-state  of  time  x  is  followed 
by  p-states  and,  eventually,  a  j-state  of  time  y  <  *  +  10,  the  formula  (4)  demands  more; 
that  if  there  is  a  p-svate  of  time  x,  then  there  is  a  time  y  <  x  + 10  such  that  every  p-state  of 
time  X  is  followed  by  p-states  and,  eventually,  a  j-state  of  time  y.  For  instance,  the  timed 
state  sequence 

{{p}.0)  ^  m,0)  —  ({p}.0)  —  ({g}.l)  —  ({},2)  —  ({},3)  -- 

satisfies  (3)  but  not  (4). 

Thus,  TPTL  selects  the  fragment  of  “real-time  temporal  logic"  in  which  all  variables 
are  bound  to  the  times  of  states:  the  rigid  variables  are,  immediately  upon  introduction, 
frozen  to  the  time  (i.e.,  the  value  of  the  state  variable  t)  in  the  local  temporal  context.  In 
partictilar,  the  TPTL-formula  x.  ^  defines  the  same  property  as  the  formula 

Vx.(x  =  t  -  <l>) 

or,  equivalently, 

3x.(x  =  t  A  ^) 

of  “real-time  temporal  Ic^c.”  It  is  precisely  this  restriction  of  om-  ability  to  arbitrarily 
quantify  over  time  variables  that  permits  (and  limits)  us  to  express  timing  constraints 
between  states  by  concise  and  readable  specifications  (compare  (1)  with  (3)).  Later  we 
will  see  that  it  is  also  precisely  this  restriction  of  time  variables  to  refer  to  “temporal”  sets 
of  states  that  allows  the  development  of  verification  algorithms  as  well  as  complete  proof 
systems. 


Decidabinty  of  TPTL 

In  the  digital-clock  model,  every  TPTL-formula  ^  can  be  translated  into  the  classical 
language  Cp,  while  preserving  the  set  of  modek  n|ij(^).  For  every  proposition  p  of  TPTL, 
we  have  a  corresponding  unary  state  predicate  p(t)  of  Cj.  We  translate  a  TPTL-formula  ^ 
to  the  £r-formDla  Classico{^),  where  the  mappings  Classici,  for  t  >  0,  are  inductively 
defined  as  follows: 


( 
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Classici(p)  =  p{i), 

Clc.1sLi{Zi  <  Tj)  =  ITi  <  Xj, 

<7lassici{wi  =d  xj)  =  xi  x,, 

Classici{fctlse)  =  fabe, 

Classici{ii^  -»  =  Classici{(i^i)  -*  Classici{(^), 

Classici{0<pi)  =  Classici+i{(f>), 

Classici{<f>iU(j>2)  =  Sj  >  i. {Classic j{4>7)  <  k  <  j.  Classick{^)), 

Classici{x.4>)  =  C7aJ5tCi(^)[*  := /(»)]. 

We  write  <^[x  /(t)]  for  the  formula  that  is  obtained  from  <f>  by  replacing  all  free  occurrences 

of  X  by  /(i). 

It  is  not  hard  to  see  that  a  TPTL-formula  ^  is  true  over  a  timed  state  sequence  p  €  TSS^ 
iff  p  satisfies  the  rr-formula  Classico{4): 

n(^)  =  IL{ClassicQ{<p)) 

for  every  TPTL-formula  For  example,  the  bounded-response  formula  nf  is  equivalent 
to  its  translation  C3ass*co(nf ): 

Vt  >  0.  (p(i)  -*  3j  >  i.(g(j)  A  /(;)  <  f(i)  +  1)). 

From  Corollary  3.1,  it  follows  that  TPTL  is  decidable.  Note  that  the  mapping  Classico 
embeds  TPTL  into  £xi  it®  range  constitutes  a  proper  subset  of  all  well-formed  £r-fotmulas. 
Thus,  just  as  PTL  correg>onds  to  a  subset  of  £,  we  may  view  TPTL  as  a  fragment  of  £r: 
quantification  over  the  state  sort  is  restricted  to  the  “temporal”  way  of  PTL,  while  quan¬ 
tification  over  the  time  sort  is  prohibited  entirely. 

We  remark  that  the  mapping  Classico  translates  a  TPTL-formula  ^  with  free  variables 
into  a  £7-formula  with  free  variables  of  the  time  sort.  It  follows  that  ^  is  valid  ilf  the 
universal  closure  of  Classicoi^)  is  valid,  which  shows  that  TPTL  with  free  variables  is 
decidable  as  well. 

3.3.2  Expressive  completeness 

We  show  that  the  restrictions  imposed  by  TPTL  on  the  quantification  in  ^r-formulas  do 
not  diminish  its  eq>ressive  power.  In  other  words,  any  digital  property  that  can  be  defined 
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in  Cj  can  already  be  delined  in  TPTL.  The  natural  embedding  Classic^  gives,  for  any 
TPTL-fonnula  <;5,  an  equivalent  Zlr-formula  C7assjco(^),  thus  demonstrating  that  £r  i*  ss 
expressive  as  TPTL.  By  the  following  theorem,  the  converse  is  also  true. 

Theorem  3.2  (Expressive  completeness  of  TPTL)  For  every  formula  (f>  of  Lt,  there 
exists  a  formula  xl>  of  TPTL  such  that  n(^)  =  n(^). 

Proof  of  Theorem  3.2  Given  an  £r-fonnula  we  construct  an  equivalent  TPTL- 
formula  in  four  steps.  By  Theorem  3.1,  we  obtain  an  £>formula  with  additional 
time-difference  predicates  Previ  and  Prev>(  and  time-congruence  predicates  Cong^^,  such 
that  ni(^)  =  n(^').  By  the  expressive  completeness  of  PTL,  there  is  a  PTL-formula 
such  that  n(^')  =  n(^")  [40]. 

We  transform  into  an  equivalent  PTL-formula  0"'  such  that  every  time- difference 
proposition  Prevs  and  Prev>s  is  either  not  within  the  scope  of  any  temporal  operator,  or 
immediately  preceded  by  a  next  operator.  This  can  be  done  by  repeatedly  rewriting  subfor¬ 
mulas  of  the  form  0(^  ^  W  to  0^  ^  h  (0^))» 

respectively.  Prom  4>'"  we  arrive  at  ^  by  replacing  every  time-difference  proposition  Preve 
and  Prev>s  that  is  not  within  the  scope  of  a  temporal  operator  with  x.x  =  S  and  x.x>S, 
respectively;  by  replacing  every  subformula  QPrevf  and  OPrev^f  with  x.Qy.y  s:  x  +  6 
and  X.  Qy.y  >  x-bf;  and  by  replacing  every  time-congruence  proposition  Cong^  with 
x.x  He  6.  ■ 

We  conclude  the  discussion  of  properties  that  are  expressible  in  TPTL  by  interpret¬ 
ing  the  logic  over  untimed  state  sequences,  and  investigating  the  expressive  power  of  the 
congruence  relations. 

Timeless  expressiveness 

Note  that  in  the  untimed  model  every  atomic  timing  constraint  of  TPTL  is  trivially  true. 
Thus  TPTL  can  erq>ress,  in  the  untimed  model,  exactly  the  properties  that  are  definable 
in  PTL.  It  follows  that  the  untimed  expressive  power  of  TPTL  is  that  of  the  first-order 
language  C  at,  equivalently,  star-free  w-regular  expressions. 

There  is,  however,  another  way  to  interpret  TPTL-formulas  over  infinite  state  sequences. 
With  every  TPTL-formula  <f>  we  can  associate  the  untimed  property  nni(^)“  C  TSSi  that 
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resxJts  from  collecting  the  state  component?  of  all  models  of  <f>.  Interpreted  in  this  fashion, 
TPTL  can  define  strictly  more  properties  of  state  sequences  than  PTL.  For  example,  the 
untimed  property  eren(j>),  that  “p  holds  in  every  even  state,”  is  not  expressible  in  PTL  [130]. 
In  TPTL,  we  may  (ab)use  time  to  identify  the  even  states  as  exactly  those  in  which  the 
time  does  not  increase: 

Oy.x  =  y  A  Cx.Oy.{z  =  y  -*  p  A  Oz.{z>y  A  Oxi.u  =  z)). 

We  refer  to  the  set  of  projections  of  digital  properties  that  are  definable  in  TPTL  as  the 
timeless  (as  opposed  to  tmtimed)  expressiveness  of  TPTL.  The  foDowing  proposition  shovi 
that  the  timeless  expressive  power  of  TPTL  is  that  of  the  second'order  language  or, 
equivalently,  w-regulax  expressions. 


Proposition  3.2  (Timeless  expressiveness  of  TPTL)  For  every  formvla  ^  of  TPTL, 
there  is  a  formula  rp  of  C}  such  that  n|i||  {4>)~  =  n(^),  and  vice  versa. 


Proof  of  Proposition  3.2  (1)  Given  a  TPTL-formula  we  know  how  to  construct  an 
equivalent  £r-fonnula  <p'.  By  Theorem  3.1,  we  obtain  an  £-formula  rnth  additional 
time-difference  predicates  Prevs  and  Prev>{  and  time-congruence  predicates  Cong^^,  such 
that  ni(^'‘)  =  n(^'').  The  £^-fornxula  ip  that  binds  all  of  the  new  time  predicates  in  by 
an  existential  prefix  is  easily  seen  to  have  the  desired  models. 

(2)  In  order  to  show  the  second  implication,  we  use  a  normal-form  theorem  for  £^:  given 
an  £*-forniula  ip,  there  is  an  equivalent  £^-formula  ip’  of  the  form  3pi . . .  3pn-  »  whose 
matrix  ip^f  contains  no  second-order  quantifiers  [22].  We  construct  a  TPTL-formula  ^  that 
characterizes  the  models  of  ^  by  using  the  (existentially  quantified)  time  map  to  encode 
the  interpretation  of  the  unary  predicates  pj,  1  <  y  <  n,  that  are  bound  in  ip’. 

Assign  to  every  subset  Js  C  {1, . .  .n}  a  unique  code  f  €  N.  By  the  expressive  complete¬ 
ness  of  PTL,  there  is  a  PTL-formula  ip’J^j  such  that  n(^ji^)  =  n(V’S/)  [40].  Rom  ip’^,  we 
obtain  ^  by  replacing  every  proposition  Pj,  1  <  y  <  n,  with 

X.  o  »•  V  y  =  *  +  ^- 

Now  it  is  straightforward  to  establish  a  one-to-many  correspondence  between  the  models 
I  =  (^fPiy^Pn)  of  and  the  timed  state  sequences  (<r,T)  that  satisfy  given  J,  let 
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T<+i  =  Ti  +  5  such  that  Jf  =  {j  \  pj(»)};  and  given  T,  let  p^(t)  iff  ;  6  •^Ti+,-T<  (assume 
that  j  ^  Js  ill  is  no  proper  code).  Q 

It  follows  that  £xi  the  time  function  eyisicntially  quantified,  has  the  full  expressive 
powtf  of  the  second-order  language  C*.  In  fact,  the  proof  given  above  shows  that  equality 
and  successor  over  the  time  sort  are  sufficient  to  achieve  this  timeless  expressiveness. 

Expressive  power  of  congruences 

If  we  disallow  the  use  of  congruence  relations  in  TPTL,  the  resulting  logic  is  strictly  less 
expressive.  Consider  the  following  formula  (j>: 

□x.  (x  =2  0  -♦  p). 

It  characterizes  the  timed  state  sequences  in  which  “p  is  true  at  all  even  times.”  We 
show  that  this  property  is  not  expressible  without  congruence  relations.  Suppose  that  the 
TPTL-formula  tfr,  which  does  not  contain  any  congruence  relations,  were  equivalent  to 
Let  c  -  1  €  N  be  the  largest  constant  that  occurs  in  ip.  It  is  not  hard  to  see  that  ip  cannot 
distinguish  between  the  timed  state  sequences  pi  =  (o‘,At.2ic)  and  p2  =  {ff,\i.{2ic  +  1)), 
for  any  state  sequence  tr.  Yet  if  p  is  not  continuously  true  in  er,  only  one  of  pi  and  ps 
satisfies  <p. 

Note  that  TPTL  without  congruence  relations  has  the  same  expressive  power  as  the 
first-order  language  Ct  without  congruences.  However,  as  has  been  pointed  out  above,  the 
congruence  primitives  do  not  affect  the  “timeless”  expressiveness  of  these  formalisms;  for 
example,  we  have  demonstrated  that  the  property  that  “p  holds  in  every  even  state”  (as 
opposed  to  every  state  with  an  even  time)  can  be  defined  without  congruences. 

3.3.3  Timed  extended  temporal  lo^c 

PTL  does  not  have  the  fiiH  expressive  power  of  the  second-order  language  C^:  recall  that 
the  property  even(p)  —  that  “p  is  true  in  every  even  state”  — 

39- (3(0)  V*  (3(*)  -  (P(0  ^  -■9(*+l)  A  3(*  +  2)))), 

is  not  expressible  in  PTL  [130].  That  is  why  Wolper  has  defined  extended  temporal  logic 
(ETL),  which  includes  a  tenq)oral  operator  for  every  right-linear  grammar.  ETL  has 
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the  sajxir  expressivcr.e$s  as  or,  eqiiivalenth^  w-regular  expressions,  and  yet  a  singl} 
exponential  decision  procediorc. 

The  situation  for  TPTL  is  similar:  there  is  no  TPTL-formxila  whose  models  are  pre¬ 
cisely  the  timed  state  sequences  in  which,  independent  of  the  time  map,  p  holds  at  every 
even  state.  For  suppose  there  were  such  a  formula  <(>;  we  show  that  this  would  imply  the 
expressibility  of  et?en(p)  in  £,  First  construct  an  £-formula  that  is  equivalent  to  ^  and 
contains  the  additional  time- difference  and  time-congruence  predicates  Preu^,  Pret7>^,  and 
Cong^^^^  as  usual.  Then  replace,  in  all  occurrences  of  Pret?^,  Prct?>^,  and  Cong^^  by 
true  or  false  depending  on  whether  5  =  c,  f  >  c,  and  5  =  0,  respectively.  This  simplification 
does  not  affect  the  truth  of  the  formula  over  interpretations  in  which  the  time  increases, 
starting  from  0,  always  by  the  constant  c  from  one  state  to  the  next.  Thus,  the  resulting 
formula  ^  is  satisfied  by  a  state  sequence  a  iff  (^r.  At.  ic)  6  that  is,  iff  p  is  true  in 

every  even  state  of  «r. 

Fortunately,  analogously  to  PTL,  we  are  able  to  generalire  TPTL  to  timed  extended 
temporal  logic,  TETL,  by  introducing  temporal  grammar  operators.  Here  TETL  is  shown 
to  have  the  full  expressive  power  of  £|<;  in  Chapter  4  we  will  prove  that  it  is  no  more 
expensive  to  decide  than  TPTL. 

Syntax  and  semantics  of  TETL 

Given  a  set  P  of  propositions  symbols  and  a  set  V  of  variables,  the  terms  of  TETL  are  the 
same  as  in  TPTL.  The  formulas  of  TETL  are  inductively  defined  as  follows: 

4>  :=  P  I  »i  <  »’2  I  Srf  wj  I  /«^e  1  ^  I  I 

where  z  &  V,  p  ^  P,  d  ^  0,  aad  &(ai,...am)  is  &  zight-lisear  grammar  with  the  m 
terminal  symbols  ai, . . .  Om.  (Like  ETL,  TETL  can  alternatively  be  defined  using  automata 
connectives  for  all  Buchi-automata,  instead  of  grammar  operators  [131].) 

As  with  TPTL,  TETL-formulas  are  interpreted  over  timed  state  sequences.  Given 
a  timed  state  sequence  p,  a  position  t  >  0,  and  an  environment  £,  the  semantics  of  the 
grammar  operators  is  defined  by  the  following  clause: 

p*  iff  there  is  a  (possibly  infinite)  word  w  =  ...generated 

by  5(ai, . . .  am)  such  that  p*+^  |=£  for  all  y  >  0. 
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As  with  TPTL,  we  restrict  ourselves  to  closed  formulas  of  TETL  and  take  every  TETL- 
formula  4>  to  define,  unless  another  time  domedn  is  given  explicitly,  the  digital  property 

n(<6)  c  TSS^, 

Note  that  all  temporal  operators  of  TPTL  are  expressible  by  the  grammar  operat  es  cf 
TETL.  For  example,  the  TPTL-operator  □  corresponds  to  the  grammar  £?D(a)  with  the 
only  production 

Qn{o)  — ►  clGu{o) 

(we  identify  grammars  with  their  starting  nonterminal  symbok).  The  formula  ct;cn(p), 
which  is  not  expressible  in  TPTL,  can  be  stated  as  Qtntnitrue^p)^  for  the  production 

Gt9en{o>lf<^2)  - *  aia2^e»en(ttl>fl2)* 

Expressiveness  of  TETL 

By  defining  the  property  cren(p)  in  TETL,  we  have  demonstrated  that  its  expressiveness  is 
strictly  greater  than  that  of  TPTL.  The  following  theorem  characterizes  the  expressiveness 
of  TETL  as  equivalent  to  the  second-order  language  jC^. 

Theorem  3.3  (Expressiveness  of  TETL)  For  every  formula  (f>  of  TETL,  there  exists 
a  formula  ^  of  such  that  n(^)  =  n('0),  and  vice  versa. 

Proof  of  Theorem  3.3  (1)  We  extend  the  translation  Qassico  that  embeds  TPTL  into  Cr 
to  accommodate  the  grammar  operators  of  TETL.  The  target  formtilas  will  contain  second- 
order  quantifiers  over  unary  predicates,  and  thus  belong  to  For  the  sake  of  keeping  the 
presentation  simple,  we  assume  that  all  grammar  operators  correspond  to  productions  of 
the  form 

We  add  the  following  clause  to  the  definition  of  Classick^  for  ib  >  0: 

CZMStCt(i7o(^,..-^m))  =  A  Vfc' >  *.  /\ 

0<1<M 

for  some  new  unary  predicate  symbols  -pg^t  where  Po,  •  •  •  Qm  all  the  nonterminal 
symbols  that  occur  in  the  grammar  ^o(ai, . . .  Om),  and  stands  for  the  £§-formula 


pg(k)  (Classick(4>it)  V  (aassick(^if)  A  pgt(k  +  1))). 
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Consider  an  arbitrary  timed  state  sequence  p.  We  show,  by  induction  on  the  structure  of  <f>, 
that  (^iS  p^  |=f  Classick{4')  for  all  ib  >  0  and  environments  S. 

The  crucial  case  that  ^  has  the  form  Qo{<f>it  •  •  •  is  derived  as  foDows.  To  establish 
the  existence  of  appropriate  predicates  p^,,  for  0  <  1  <  Af,  let  be  true  in  state  k'  >  k 
iff  P*  \=s  On  the  other  hand,  given  the  predicates  p^,  satisfjdng  for 

all  4'  >  i,  we  can  construct  a  word  w  =  a«^a,o,o,c,  •  •  •  generated  by  ffo(ai,---am)  such 
that  p*'  (=£  It  follows  that,  for  any  TETL-formula  the  £|.-formula  Classico(^) 

is  equivalent  to 

(2)  The  argument  for  the  expressive  completeness  of  TETL  with  respect  to  is  anal¬ 
ogous  to  the  corresponding  proof  for  TPTL  and  Ex  (use  the  expressive  completeness  of 
ETL  with  respect  to  £*).  S 

Let  us  complete  the  ejpressibility  picture  by  a  few  remarks.  It  is  not  hard  to  see  that 
both  the  “untimed”  and  the  “timeless”  expressiveness  of  TETL  (as  measured  by  the  sets 
IIi(^)  and  nN(^)“,  respectively,  for  TETL-formulas  axe  that  of  ETL  or,  equivalently, 
the  second-order  language  C? .  It  is  also  immediate  that  the  congruence  relations  contribute 
even  to  the  expressive  power  of  TETL  (and  in  a  nontrivial  way,  because  the  property 
that  “p  is  true  at  all  even  times”  is  still  not  expressible  without  congruence  relations. 


TPTL  with  quantification  over  propositions 


There  are  several  alternatives  to  the  grammar  operators  of  ETL.  PTL  can  be  extended 
by  fixed-point  c^erators  (thus  obtaining  a  variant  of  the  propositional  p-calculus  [75];  see 
also  [15, 126])  or  second-order  quantification  over  propositions  (QPTL  of  Wolper  [129]  and 
Sistla  [118])  in  order  to  achieve  the  full  expressive  power  of  £*.  While  fixed-points  can 
be  viewed  as  generalised  grammar  operators  and  yield  to  verification  algorithms,  QPTL 
is  nonelementary.  It  is  straightforward  to  show  that  both  extensions  have,  indeed,  the 
expected,  analogous  effect  in  the  TPTL-framework;  they  give  decidable  real-time  specifi¬ 
cation  languages  with  the  expressiveness  of  £|..  However,  timed  QPTL  if,  as  a  superset  of 
QPTL,  nonelementary,  and  thus  unsuitable  as  a  finite-state  verification  formalism. 
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3.3.4  Nonelementary  extensions 

In  the  Chapter  4,  we  will  see  that  the  decision  problem  for  TPTL  (as  well  as  TETL) 
is  in  EXPSPACE.  We  have  seen  that  TPTL  restricts  Cx  to  “temporal”  quantification 
over  the  state  sort  and  no  quantification  over  the  time  sort.  Can  we  relax  the  restrictions 
without  sacrificing  elementary  decidability?  Arbitrary  quantification  over  the  state  sort 
encompasses  full  C  and  is,  therefore,  clearly  nonelementary.  In  this  subsection,  we  first 
study  the  generalization  of  TPTL  that  admits  quantification  over  the  time  sort,  and  show 
it  to  be  nonelementary  as  well.  Then  we  try  to  add  past  temporal  operators  to  TPTL,  an 
extension  that  does  not  affect  the  complexity  of  PTL.  Therefore  it  is  quite  surprising  that 
the  past  operators  render  TPTL  nonelement  ary. 

TPTL  with  quantification  over  time 

Recall  that  several  authors  have  proposed  to  use  first-order  tempctsl  logic  with  the  a  single 
state  variable  t,  which  represents  the  time  in  every  state,  for  the  specification  of  real-time 
properties.  For  instance,  the  bounded-response  property  Ilf  has  been  defined  in  “real-time 
temporal  logic”  by  the  formula 

Vx.  0(p  A  t  =  «  0(g  A  t  <  X  -I- 1)), 

which  uses  auxiliary  rigid  variables  like  x  to  refer  to  the  time  (i.e.,  the  value  of  t)  of  different 
temporal  contexts.  Eliminating  the  state  variable  t,  we  sec  that  this  notation  corresponds 
to  TPTL  extended  by  classical  universal  and  existential  first-order  quantification  over  time 
variables: 

Vx.  Dy.  (p  A  y  =  X  — ►  Ox.  (g  A  x  <  x  +  1)). 

We  call  this  generalization  of  TPTL,  whose  S3mtax  definition  is  supplemented  by  the  new 
clause 

if  0  is  a  formula  and  x  €  V,  then  3x.  <f>  is  also  a  formula, 

quantified  TPTL  or  TPTL3.  Given  a  timed  state  sequence  p,  a  position  t  >  0,  and  an 
environment  £,  the  classical  quantifiers  are  interpreted  as  usual: 

p*  [=£  3x.  ^  iff  p*  for  some  f  €  TIME, 
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TPTLg  seems,  on  the  surface,  more  expressive  than  TPTL,  because  it  can  state  prop¬ 
erties  of  times  that  are  not  associated  with  any  state.  But  it  is  easy  to  see  that  TPTLg 
can  still  be  embedded  into  Ct\  let 

Clas$ici{3?i.(p)  =  3z.  Cla55ict(^). 

The  satisfiability  of  TPTLa  is,  therefore,  decidable,  and  its  expressive  power,  measured 
as  the  sets  of  timed  state  sequences  specifiable  in  the  logic,  is  the  same  as  that  of  TPTL. 
We  show  that  TPTL3,  however,  is  not  elementarily  decidable.  This  provides  additional 
justification  for  our  preference  for  TPTL  over  the  existing  notation  with  classical  quantifiers 
over  time:  prohibiting  quantification  over  time  not  only  leads,  as  was  argued  above,  to 
a  more  natural  specification  language,  but  is  necessary  for  the  existence  of  finite-state 
verification  algorithms. 

Theorem  3.4  (Complexity  of  TPTL3)  The  validity  problem  for  TPTL3  is  nonelemen'^ 
iary. 

Proof  of  Theorem  3.4  We  translate  the  nonelementary  monadic  first-order  theory  of 
(Mj<)  [121]  into  TPTL3.  With  the  help  of  the  formula 

D*-Oy-y  =  *  +  i.  (^+1) 

we  can  force  time  to  act  as  a  state  counter;  then  we  can  simulate  state  quantifiers  by  the 
time  quantifiers  of  TPTL3.  Given  a  formula  (p  of  £,  we  construct  a  formula  ^  of  TPTL3 
such  that  ^  is  valid  iff  the  TPTLs-forxmila  ^  is  valid.  The  formula  tp  is  obtained 

from  <p  by  replacing  every  atomic  subformula  of  the  form  p{i)  with  Os.  (p  A  s  =  i)  (read 
the  quantifiers  of  ^  as  quantifiers  over  the  time  sort).  B 

TPTL  with  past 

Lichtenstein,  Pnueli,  and  Zuck  [84]  extended  PTL  with  the  past  temporal  operators  0 
(pretnouj)  and  5  (since),  the  duals  of  Q  and  U.  These  operators  can  be  added  at  no  extra 
cost,  and  although  they  do  not  increase  the  expressive  power  of  PTL,  they  allow  a  more 
direct  and  convenient  expression  of  certain  properties.  Let  TPTLp  be  the  logic  that  results 
from  TPTL  by  adding  the  following  clause  to  the  inductive  definition  of  formulas: 
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if  and  ^2  formulas,  then  so  are  Q4>i  and  <pi  S  4*7. 

The  meaning  of  the  past  operators  is  given  by 
N  ©<A  iff  *  =  0  or  |=£ 

p*  |=f  ^  5  ^  iff  (P  |=£  4>7  for  some  j  <i  and  p**  |=£  ^  for  all  j  <  h  <  t. 

Clearly,  TPTLp  can  still  be  embedded  into  Ct- 

Classico{Q(l>)  =  true, 

Classici+i{Q<l>)  =  Classici{<l>), 

aassici{<f>iS<h)  =  3j  <  i.(ClassiCj(ih)  A  V;  <  i  <  t.  CI««Cfc(^)). 

Hence  the  satisfiability  of  this  logic  is,  again,  decidable,  and  its  expressive  power  is  no 
greater  than  that  of  TPTL.  However,  unlike  in  the  case  of  PTL,  there  is  a  surprisingly 
heavy  price  to  be  paid  for  adding  the  past  operators. 

Theorem  3.5  (Complexity  of  TPTLp)  The  validity  problem  for  TPTLj>  «  nonele¬ 
mentary. 

Proof  of  Theorem  3.5  Again,  we  axe  able  to  use  the  nonelementary  nature  of  the 
monadic  first-order  theory  of  (N,  <).  By  adopting  time  as  a  state  counter,  we  can  simulate 
true  existential  quantification  over  time  by  O,  because  O  allows  us  to  restcoe  the  correct 
temporal  context.  Given  a  formula  ^  of  £,  we  construct  a  formula  V’  of  TPTLj>  such  that 
is  valid  iff  the  TPTLp-formula  ^+1  ^  is  valid. 

The  first  step  in  translating  <t>  is  the  same  as  in  the  proof  of  the  nonelementary  complexity 
of  TPTL3.  In  a  second  step  we  replace  every  subformula  of  the  fonn  3*.  9  with  the  formula 

y.(0*.<$>z.(2  =  y  A  V  <$>z.Oz.(r  =  y  A  y)). 

■ 
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3.4  Metric  Temporal  Logic 

Several  authors  have  tried  to  adapt  temporal  logic  to  reason  about  real-time  properties 
by  interpreting  modalities  as  real-time  operators.  For  instance,  Koymans  suggested  the 
notation  0<e  to  express  the  notion  “eventually  within  c  tin^  units”  [71].  Similar  temporal 
operators  that  are  parameterized  with  constant  botmds  have  been  used  by  Pnueli  and 
Harel  [110]  as  well  as  by  Emerson,  Mok,  Sistla,  and  Srinivasan  [37].  In  this  section,  we 
extend  PTL  by  time-bounded  temporal  operators  and  interpret  the  resulting  logic  over 
timed  state  sequences.  For  example,  the  bounded-invariance  property  nf  —  that  “no  p- 
state  is  followed  by  a  j-state  within  less  than  5  time  units”  —  will  be  written  as 

0(p  □<5-.?);  (^f>) 

the  boimded-responsc  property  nf  —  that  “every  p-state  is  followed  by  a  j-state  within  1 
time  unit”  —  will  be  expressed  by  the  formula 

0(p  0<iff).  (^f) 

It  is  easy  to  see  that  we  have,  in  fact,  only  obtained  a  notational  variant  of  a  subset  of 
TPTL  (rewrite,  for  example,  every  subformula  0<e  4>  x.Oy.  {y  <  x  +  e  A  4,)). 

We  will  show  that  PTL  with  bounded  temporal  operators  is  interesting,  and  worth 
studying  in  its  own  right,  for  two  reasons.  First,  and  surprisingly,  it  is  already  as  e3iq>ressive 
as  full  TPTL.  And  secondly,  it  may,  unlike  full  TPTL,  be  augmented  by  past  temporal 
operators  without  sacrificing  its  elementary  decidability.  Following  Koymans,  we  call  the 
resulting  language,  which  includes  past  operators,  metric  temporal  logic  (MTL).  We  will 
conclude  that  MTL,  too,  represents  a  suitable  formalism  for  the  specification  and  verifica¬ 
tion  of  real-time  properties:  just  like  TPTL,  MTL  captures  an  expressively  complete  and 
yet  elementary  fragment  of  Ct-  But  the  two  subsets  of  Ct  that  correspond  to  TPTL  and 
MTL,  respectively,  are  not  identical.  We  will  illustrate  that  either  logic  can  state  certain 
properties  more  directly  and  succinctly  than  the  other  one  and  may  therefore  be  preferred 
for  some  specifications. 

3.4.1  Syntax  and  semantics 

Given  a  set  of  propositions  P,  the  formulas  4>  of  MTL  are  defined  inductively  as  follows: 

4>  :=  p\  false  1  ^  ^  I  ©/  ^  |  ©/  ^  |  ^  ^  I  ^  ^ 
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for  p  €  P.  The  subscript  I  is  one  of  the  following: 

1.  A  possibly  unbounded  iniervd  of  TIME  whose  end-points  are  natural  number  con¬ 
stants.  Intervals  may  be  open,  half-open,  or  closed;  empty,  bounded,  or  unbounded. 
We  say  that  all  intervals  of  the  forms  [0,  cQ,  (c,  d),  for  c  €  N,  d  €  N  U  and  c  <  d, 
axe  open;  all  intervals  of  the  forms  (c,  d]  and  [c,  oo),  for  c,  d  €  N  and  c  <  d,  are  closed, 
Vfe  freely  denote  intervals  by  pseudo-arithmetic  expressions.  For  example,  the  expres¬ 
sions  <  d  and  >  c  stand  for  the  intervals  [0,  d]  and  (c,  oo),  respectively.  The  expression 
5  -f  J,  where  /  is  an  interval  and  S  €  TIME^  denotes  the  interval  {5  -f- 1 1 1  €  /}• 

2.  A  congruence  expression  of  the  form  c,  for  c,d  €  N  and  d  ^  0.  Cangruence 
expressions  are,  as  usual,  prohibited  in  the  analog-clock  model. 

We  remark  that  we  do  not  choose  to  bound  both  arguments  of  the  until  and  since  operators 
by  subscripts,  simply  because  we  feel  that  doing  so  would  impair  the  readability  of  formulas 
and,  as  we  shall  see,  would  not  increase  the  expressive  power  of  the  logic.  As  in  the  case  of 
TPTL,  we  assume  that  all  constants  in  an  MTL-formula  are  given  m  a  binary  encoding. 

Timed  state  sequence  semantics 

The  formulas  of  MTL  axe  interpreted  over  timed  state  sequences.  Instead  of  giving  MTL 
its  own  semantics,  we  translate  every  MTLrformula  ^  into  a  TPTLp-fonmila  FTeeze{(f>): 

Freeze{p)  =  p, 

Freeze{faUe)  =  /oise, 

Free2e{(f>i  — ►  ^)  =  Freeze{<f>i)  fVec2c(^), 
fV«ezc(®/  0  y*  (y  €  «  +  /  A  ^), 

Fbcczc(©/^)  =  X.  ©y.(y  €  «  -  /  A  ^), 

Freeze{ij>iUi <h)  =  Wy.(y  6  x  +  /  A  ^)), 

Freeze{(f>iSx4>2)  =  ®  (^i5y.(y  6  x  -  /  A  ^)) 

such  that 

1.  If  7  is  an  interval  of  the  form  [c,d),  then  the  expressions  x  €  y  +  7  and  x  £  y-J  stand 
for  the  timing  constraints  y  +  c<x<y  +  d  and  x  +  c<y<x-fd,  respectively.  It 
is  straightforward  to  fill  in  which  timing  constraints  of  TPTL  axe  denoted  by  other 
interval  expressions. 


128 


CHAPTERS.  REAL-TIME  LOGICS 


2.  If  /  is  a  congruence  expression  the  form  c,  then  the  expressions  z  £  y  -k-  I  and 
*  €  y  —  /  both  stand  for  the  timing  constraint  x  c. 

We  take  an  MTL-formula  to  define  the  same  property  as  the  TPTLp-formula  Freeze(<f>): 

n(^)  =  n(fbeezc(^)). 

It  follows  that  every  MTL-formula  defines,  in  the  analog-clock  model,  the  analog  property 
nR(^)  C  rS5p;  in  the  digital-clock  model,  the  digital  property  Ilfj(^)  C  TSSjlJ;  in  the 
imtimed  model,  the  untimed  property  ni(^)  C  TSS".  As  for  TPTL,  the  digital-clock 
model  is  taken  to  be  the  default  for  MTL.  Note  that  in  the  digital-clock  model,  for  every 
MTL-formula  there  is  an  equivalent  formula  that  contains  only  closed  time  intervals  (for 
example,  replace  any  subformula  ^  U^cd)  <h  with  ^  ^  if  c  <  d,  and  with  false  if 

c  =  d). 

Additional  bounded  temporal  operators  can  be  defined  in  terms  of  the  given  MTL- 
operators  ©/  {bounded  strong  next)  and  Ui  {bounded  until)  as  follows: 

Bounded  weak  next  ^  stands  for  -i©/ 
i^tounded  eventually  O/^  stands  for  trueUi<j). 

Borinded  always  Oj<f>  stands  for 

Bounded  unless  stands  for  V  □[o,*)^- 

Note  that  while  the  strong-next  formula  ©s3P  is  satisfied  by  a  timed  state  sequence  ifif 
il  e  “next”  (i.e.,  second)  state  is  a  p-state  and  its  time  is  2  greater  than  the  time  of  the 
“current"  (i.e.,  initial)  state,  the  weak-next  formula  ©ajp  requires  that  the  second  state  is 
a  p-state  only  i/  the  time  increase  between  the  first  and  the  second  state  is  2.  Similarly,  for 
any  time  interval  I,  the  MTL-formula  O/p  asserts  that  there  is  a  p-state  with  a  time  that 
is  within  the  interval  I  of  the  “current”  (initial)  time;  the  MTL-formula  D/p  stipulates 
that  all  states  in  that  interval  are  p-states  (although  there  may  be  none): 

p  1=  0/  ^  iff  p‘  1=  ^  for  some  t  >  0  with  Ti  €  T©  -f-  /. 
p  1=  ^  iff  p*  )=  ^  for  all  t  >  0  with  €  To  -I-  7. 
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On  the  other  hand,  the  MTL-formula  p  is  true  of  a  timed  state  sequence  iff  p  is  true 
in  some  state  whose  time  is  odd  (independent  of  the  initial  time).  "NMiile  time  intervals 
constrain  the  time  differences  between  states,  congruence  expressions  refer  to  the  absolute 
times  of  states. 

We  usually  suppress  the  universal  interval  {0,oo)  as  a  subscript.  Thus  the  MTL- 
operators  ©  (which  is  equivalent  to  ©),  O,  O,  W,  and  U  coincide  with  the  conventional 
unbounded  next,  eveniuallyy  always^  uniily  and  unless  operators  of  PTL.  More  precisely, 
every  MTL-formula  without  operator  subscripts  specifies  a  time-invariant  property  and 
can  be  read  as  a  formula  ip  of  PTL: 

n(0)-  =  ni(^)  = 

It  follows  that  MTL,  like  TPTL,  is  a  conservative  extension  of  PTL, 

Prom  our  embedding  of  MTL  into  TPTL^>,  it  follows  that  MTL  is  decidable,  and 
that  both  TPTL  and  MTL  are  orthogonal  fragments  of  TPTLp  and,  hence,  Ct-  while 
TPTL  prohibits  past  operators,  MTL  corresponds  to  a  subset  of  TPTLp  wherein  all  timing 
constraints  relate  only  variables  that  refer  to  “adjacent”  temporal  contexts.  In  the  following 
subsection,  we  will  show  that,  like  TPTL,  MTL  selects  also  an  expressively  complete  subset 
of  First,  however,  let  us  indicate  another  possible  semantics  for  MTL. 

Interval  semantics 

It  is  obvious  that  the  properties  that  are  definable  in  MTL  (or  TPTL)  are  not  necessarily 
(weakly)  closed  under  stuttering.  There  are  two  reasons  why  MTL-formulas  can  detect 
stuttering: 

1.  MTL  contains  next  operators.  Thus  we  may  wish  to  ban  the  next  operators  from 
specifications,  as  has  been  argued  by  Lamport  for  PTL  [78],  Observe,  for  example, 
that  both  boiinded-invariance  and  bounded-response  properties  can  be  defined  with¬ 
out  next  operators.  On  the  other  hand,  when  we  represent  timed  transition  systems 
by  temporal  formulas  in  Chapter  4,  we  will  find  it  convenient  to  use  next  operators 
to  define  the  next-state  relation  of  a  transition  system. 

2.  MTL  is  interpreted  over  observation  sequences  (i.e.,  timed  state  sequences)  rather 
than  state  interval  sequences.  For  example,  the  MTL-formula  □[s^sj/oZse  specifies  a 
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property  that  is  not  weakly  dosed  under  stuttering.  However,  while  the  requirement 
□[3  is,  perhaps  undesirably,  satisfied  by  some  observation  sequences  (if  there  is 

no  observation  between  time  3  and  time  8),  it  cannot  be  satisfied  by  any  state  interval 
sequence,  which  has  one  or  more  states  at  every  point  in  time.  This  phenomenon  can 
be  exploited  by  interpreting  real-time  languages  over  state  interval  sequences. 

Recall  that  state  interval  sequences  correspond  to  deterministic  timed  state  sequences. 
Indeed,  over  deterministic  timed  state  sequences  we  can  give  MTL  (and  TPTL,  for  that 
matter)  an  irderval  semantics  such  that  every  property  that  can  be  defined  by  a  formula 
without  next  operators  is  dosed  under  stuttering.  We  have  pursued  this  approach  at  a 
different  opportunity  [9] ;  here,  we  present  only  the  interval  interpretation  of  a  small  fragment 
of  MTL.  Let  p  =  (o’.T)  be  a  deterministic  timed  state  sequence  and  I  a  time  interval: 

p  1=  p  iff  p  €  <ro. 
p  false. 

p\=  <f>i  (h  iffp)=^  implies  p  |= 
p  1=  O/  ^  iff  p'  1=  ^  for  some  ^-suffix  p'  of  p  with  6  £  I. 

This  interval  interpretation  of  MTL-formulas  implies  that 

p  1=  ^  iff  p'  [=  ^  for  every  ^-suffix  p'  of  p  with  6  €  I 

and,  in  particular,  that  p  ^  0/  false  if  7  is  not  empty. 

3.4.2  Expressive  completeness 

Because  of  the  past  operators,  MTL  can  express  certain  properties  more  succinctly  than 
TPTL.  Recall,  for  example,  the  traffic-light  controller  from  Subsection  2.2.3.  Require¬ 
ment  (i4)  —  that  within  5  time  units  from  any  request,  the  light  turns  green  and  stays 
green  for  at  least  5  time  units  —  can  be  naturally  specified  in  both  logics: 

Dx.  {request  -*  Oy.(y  <  x  +  5  A  Oz.  (z  <  p-t- 5  -►  Ugkt  =  green))), 

0(repttest  —♦  ^<5  D<s  {Ught  ss  preen)). 
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But  requiremeiit  (B)  —  that  the  light  should  be  red  if  there  has  not  been  a  request  for  25 
tirae  units  —  belongs  to  the  class  of  properties  that  assert  that  every  effect  was  preceded 
by  a  cause,  which  are  most  natiirally  expressed  by  past  operators: 

D(lighi  =  green  -*  ^<25  request)). 

On  the  other  hand,  consider  the  following  TPTL-formula,  which  asserts  that  **evcry 
p-state  is  followed  by  a  g-state  and,  later,  an  r-state  within  5  time  units”: 

Ox.  (p  -♦  0(g  A  Oy,  (r  A  y  <  *  +  5))). 

This  property  has  no  natural  expression  in  MTL.  However,  in  the  digital-clock  model,  the 
discrete  natiire  of  time  can  be  exploited  to  translate  the  property  into  MTL: 

5 

0(p  \f  Os-e(g  A  0<5«^r)). 

c=0 

In  fact,  we  show  that  in  the  digital-clock  model  the  expressiveness  of  MTL  is  no  less  than 
that  of  TPTL  in  any  crucial  way.  Only  properties  that  need  to  be  defined,  in  TPTL, 
using  absolute  time  references  cannot  be  defined  in  our  version  of  MTL.  These  properties 
put  constraints  on  the  absolute  time  of  some  states  in  a  timed  state  sequence,  such  as  “the 
time  of  the  initial  state  is  2”  (x.x  =  2  in  TPTL).  Thus  the  inability  of  MTL  to  express 
absolute  time  references  is  of  no  importance  to  the  analysis  of  timed  transition  systems, 
whose  computations  are  closed  under  shifting  the  origin  of  time. 

Formally,  we  say  that  a  timed  state  sequence  (^,T)  is  initial  iff  the  time  of  its  initial 
state  is  0;  that  is,  To  —  0.  The  following  theorem  states  that  if  the  expressiveness  of  a  logic 
is  measured  by  the  sets  of  initial  timed  state  sequences  that  are  definable,  then  MTL  has 
the  same  expressive  power  as  Ct  or,  equivalently,  TPTL. 

Theorem  3.6  (Expressive  completeness  of  MTL)  For  every  Jormvla  ^  of  Lpt  there 
exists  a  formula  rp  of  MTL  (twtAout  past  operators)  such  that  p  ^  ^  iff  p  ^  for  eve^ 
initial  timed  state  sequence  p  €  TSS^ . 

Proof  of  Theorem  3.6  As  in  the  proof  of  the  expressive  completeness  of  TPTL,  given  a 
formula  ^  of  Cpt  we  construct  a  PTL-formula  with  additional  time- difference  proposi¬ 
tions  Prevs  and  Prev>s  aiid  time-congruence  propositions  Cong^^  such  that  lli(0)  =  II(^'). 
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Furthermore,  in  all  of  the  propositions  Prev^,  Prevx,  and  Cong^f  are  either  not  within 
the  scope  of  anv  temporal  operator,  or  immediatdy  preceded  by  a  next  operator. 

From  <!>'  we  obtain  the  desired  MTL-formxila  V’  by  eliminating  the  time-difference  and 
time-congruence  propositions  as  follows.  Since  we  consider  only  initial  models,  we  replace 
each  proposition  Prevs,  Prev^tt  Cong^f  that  is  not  within  the  scope  of  any  temporal 
operator  by  true  or  false,  depending  on  whether  ^  s=  0.  Then  we  replace  each  subfor¬ 
mula  QPrevs  by  ©=;  true,  each  subformula  OPrev^t  by  ©>f  true,  and  each  subformula 
QCong^i  by  Q=^strue.  (Observe  that  only  the  strong-next  operator  needs  to  be  sub¬ 
scripted.)  a 

3.5  Real-time  Properties  That  Cannot  Be  Verified 

At  last,  let  us  justify  our  decisions  to 

1.  restrict  the  semantics  of  TPTL,  MTL,  and  the  classical  theory  of  timed  state  se¬ 
quences  to  the  digital-clock  model  (i.e.,  the  discrete  time  domain  N),  and 

2.  restrict  the  syntax  of  timing  constramts  in  TPTL,  MTL,  and  the  rlacgjral  theory  of 
timed  state  sequences  to  comparison,  successor,  and  congruence  operations  on  time. 

Indeed,  both  decisions  seem  overly  limiting  for  real-time  specification  languages.  For  ex¬ 
ample,  without  addition  of  time  values  the  property  that  “the  time  difference  between 
subsequent  p-states  increases  forever"  cannot  be  defined.  We  show,  however,  that  both 
restrictions  are  absolutely  necessary  to  obtain  formal  verification  techniques;  without  them 
there  exist  neither  decision  procedures  nor  complete  proof  systems. 

3.5.1  Timed  temporal  logic  revisited:  Undecidable  extensions 

^^e  consider  two  natural  extensions  of  TPTL,  a  S3mtaictic  one  (allowing  addition  over  time) 
and  a  semantic  one  (interpreting  TPTL-formulas  over  a  dense  time  domain).  Both  exten¬ 
sions  are  shown  to  be  Hi-complete,  by  reducing  a  Bl'bard  problem  of  2-counter  mac  lines 
to  the  respective  satisfiability  problems.  It  follows  that  they  cannot  even  be  (recursively) 
axiomatized  (for  an  exposition  of  the  analytical  hierarchy  consult,  for  instance,  the  book 
by  Rogers  [113]). 
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A  E}-complete  problem 

A  nondeierminisHc  2^counter  mackirvr  iS  r  consists  of  two  counters  C  and  D,  and  a  se¬ 
quence  of  n  instructions,  eacb  of  whidi  may  increment  or  decrement  one  of  the  counters, 
or  jump,  conditionally  upon  one  of  tl  a  counters  being  zero.  After  the  execution  of  a  non¬ 
jump  instruction,  M  proceeds  nondeterministically  to  one  of  two  specified  instructions.  We 
represent  the  configurations  of  M  by  triples  (t,c,d),  where  0  <  t  <  n,  c  >  0,  and  d  >  0 
are  the  current  values  of  the  location  coxmter  and  the  two  counters  C  and  D,  respectively. 
The  consecution  relation  on  configurations  is  defined  in  the  obvious  way.  A  computation 
of  Jlf  is  an  infinite  sequence  of  related  configmations,  starting  with  the  initial  configurat .  ^n 
(0,0,0).  It  is  called  recurring  iff  it  contains  infinitely  many  configurations  with  the  value 
of  the  location  counter  being  0. 

The  problem  of  deciding  whether  a  nondetenninistic  Turing  machine  has,  over  the  empty 
tape,  a  computation  in  which  the  starting  state  is  visited  infinitely  often,  has  been  shown 
S^-complete  by  Harel,  Pnueli,  and  Stavi  [52].  Along  the  same  lines  we  obtain  the  following 
result. 

Lemma  3.2  (Complexity  of  2-counter  machines)  The  problem  of  deciding  whether  a 
given  nondeterministic  2-cottnter  machine  has  a  recurring  computation,  is  E\*hard. 

Proof  of  Lexxuna  3.2  Every  equivalent  to  a  £^-formula  x  of  the  form 

3/-(/(0)  =  1  A  V*.j(/(*),/(x  +  1))), 

for  a  recursive  predicate  g  [52].  For  any  such  x  construct  a  nondeterministic  2* 

counter  machine  M  that  has  a  recurring  computation  iff  x  is  true. 

Let  M  start  by  computing  /(O)  =  1,  and  proceed,  indefinitely,  by  nondeterministically 
guessing  the  next  value  of  /.  At  each  stage,  M  checks  whether  /(*)  and  f{x  + 1)  satisfy  g, 
and  if  (and  only  if)  so,  it  jumps  to  instruction  0.  Such  an  Af  exists,  because  2-counter  ma¬ 
chines  can,  being  universal,  compute  the  recursive  predicate  g.  It  executes  the  instruction  0 
infinitely  often  iff  a  function  /  with  the  desired  properties  exists.  B 

Encoding  conqputaiions  of  2-counter  machines 

We  show  that  the  satisfiability  problem  for  several  extensions  of  TPTL  is  Ej-complete. 
First,  we  observe  that  the  satisfiability  of  a  formula  ^  can,  in  all  cases,  be  phrased  as  a 
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Ej -sentence,  asserting  the  existence  of  a  model  for  <f>.  Any  timed  state  sequence  p  for  4> 
can  be  encoded,  in  first-order  arithmetic,  by  finitely  many  infinite  sets  of  natural  numbers; 
say,  one  for  each  proposition  p  in  charactcriring  the  states  in  which  p  holds,  and  one  to 
encode  state-time  pairs.  It  is  routine  to  express,  as  a  first-order  predicate,  that  (f>  holds  in  p. 
We  conclude  that  satisfiability  is  in  Ej. 

To  show  that  the  satisfiability  problem  of  a  logic  is  Ej-hard,  it  suffices,  given  a  non- 
deterministic  2-counter  machine  M,  to  construct  a  formula  <f>M  such  that  is  satisfiable 
iff  M  has  a  recurring  computation.  We  demonstrate  the  technique  of  encoding  recurring 
computations  of  M  by  showing  that  the  monotoniciiy  constraint  on  time  is  necessary  for 
the  decidability  of  TPTL.  (From  the  decision  procedure  for  TPTL  that  will  be  presented 
in  Chapter  4  it  follows  that  the  progress  requirement  on  time  may,  unlike  monotonicity,  be 
relaxed  without  affecting  the  complexity  of  TPTL.) 

Theorem  3.7  (Nonmonotonic  time)  Relaxing  the  monotoniciiy  condition  for  timed  se¬ 
quences  renders  the  satisfiability  problem  for  TPTL  Hl-compleie, 

Proof  of  Theorem  3.7  We  encode  the  computation  F  of  Af  by  the  divergent  “time”  se¬ 
quence  T  such  that,  for  all  i  ^  0,  T4jt  =  t,  =  n  +  c,  T4jt^2  =:  n  -f  d,  and  T4jt.4.3  =  n  -f-  i 
for  the  i-th  configuration  (x,  c,  d)  of  F.  Now  it  is  easy  to  express,  by  a  TPTL-formula  , 
that  a  time  sequence  encodes  a  recurring  computation  of  M .  First  specify  the  initial  con¬ 
figuration,  by 

*.  r  =  0  A  0®*  *  —  n  A  0^®-  *  =  n  A  0^®  ®  (^XW7r) 

(we  abbreviate  a  sequence  of  m  next  operators  by  O”*)-  Then  ensure  proper  consecution 
by  adding  a  D-conjunct  for  every  instruction  t  of  M.  For  instance,  the  instruction  1  that 
increments  the  counter  C  and  proceeds,  nondetenninistically,  to  either  instruction  2  or  3, 
contributes  the  conjunct 

OV(y=2  V  »  =  3)  A 
Oy.  0^  2  =  y  + 1  A 

0*y-  ^  =  y  A 

0®y-  *•  *  =  y  + 1 

The  recurrence  condition  can  be  expressed  by  a  DO-formula: 


□Ox.x  0. 
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Clearly,  the  conjiinction  <I>m  of  these  n  +  2  formulas  is  satisfiable  iff  M  hais  a  recxirring 
^  computation.  U 

Note  that  we  do  not  require  any  propositions  in  the  proof.  It  follows  that  first-order 
*  temporal  logic  with  a  single  state  variable  ranging  over  the  natural  numbers  is  Hj-complete, 

provided  the  underlying  assertion  language  has  at  least  successor  (in  addition  to  equality) 
as  a  primitive. 


Presburger  TPTL 

We  shew  that  a  certain  extremely  modest  relaxation  of  the  syntax  of  timing  constraints  leads 
to  a  highly  undecidable  logic.  Consequently,  TPTL  with  addition  over  time  is  undecidable. 


Theorem  3.8  (Presburger  TPTL)  If  the  syntax  of  TPTL  is  extended  to  allow  muHi- 
plication  by  2,  the  satisfiability  problem  becomes  Sj -complete. 


Proof  of  Theorem  3.8  To  encode  computations  of  M,  we  use  the  propositions  pi, . .  .pn, 
ri,  and  r2,  precisely  one  of  which  is  tme  in  any  state;  hence  we  may  identify  states  with 
propositions.  The  configuration  (t,c,d)  of  M  is  represented  by  the  finite  sequence  Piflrf 
of  states. 

The  initial  configuration  (po)  as  well  as  the  recurrence  condition  (DOpo)  can  be  easily 
expressed  in  PTL.  The  crucial  property  that  allows  a  temporal  logic  to  specify  the  consecu¬ 
tion  relation  of  configurations,  aad  thus  the  set  of  computations  of  Af ,  is  the  ability  to  copy 
an  arbitrary  number  of  r-states.  In  real-time  temporal  logics,  the  times  that  are  associated 
with  a  state  sequence  can  be  used  for  copying.  With  the  availability  of  multiplication  by  2, 
we  are  able  to  have  the  i-th  configuration  of  a  computation  correspond,  for  all  i  >  0,  to  the 
finite  sequence  of  states  that  is  mapped  to  the  time  interval  [2*,  2^^^).  First,  we  force  the 
time  to  increase  by  a  strictly  positive  amount  between  successive  states  (□«.  Oy>y  >  *), 
to  ensure  that  every  st^t  j  is  uniquely  identifiable  by  its  time.  Then  we  can  copy  groups  of 
r-states  by  establishing  a  one-to-one  correspondence  of  r^-states  {j  =  1,2)  at  time  t  and 
time  2t;  clearly  there  are  enough  time  gaps  to  accommodate  an  additional  rj-state  when 
required  by  an  increment  instruction. 
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For  instance,  the  instruction  1  that  increments  the  counter  C  and  proceeds,  nondeter- 
minis tically,  to  either  instruction  2  or  3,  can  be  expressed  as  follows: 

^  Pi  -4  O2.  (2  =  2x  A  (p2  V  ps))  A  > 

Dx  ^  Ozi.  (21  =  2^1  A  0^2-  ^2  =  2^2))  A 

At=i.2  °y-  (y  <  2x  A  r»  O2.  (2  =  2y  A  rj))  A 
\  °yi-  0 y2- (y2  =  2x  02i. (21  =  2yi  a  0^2*n  a  0  0 ^3. 23  =  2y2))  j 

The  first  conjunct  ensures  the  proper  progression  to  one  of  the  two  specified  instructions, 
2  or  3;  the  second  one  establishes  a  one-to-one  correspondence  between  states  in  successive 
intervals  representing  configurations,  while  the  third  and  fourth  conjuncts  copy  r^-states 
(j  =  1>2).  The  last  conjunct  adds,  finally,  an  ri -state  at  the  end  of  the  successor  configu¬ 
ration,  as  required  by  the  increment  operation.  B 

We  can  modify  this  proof  by  reducing  time  to  a  state  counter  (Dx.  0  y  y  =  ®  +  1)? 
and  letting  all  propositions  be  false  in  the  resulting  additional  (padding)  states.  Thus,  the 
satisfiability  problem  for  TPTL  with  multiplication  by  2  is  Ej-hard  even  if  time  is  replaced 
by  a  state  counter.  As  a  corollary  we  infer  that  the  first-order  theory  of  the  natural  numbers 
multiplication  by  2,  and  monadic  predicates  is  Hi -complete.  A  Rimnar  result  was 
obtained  independently  by  Halpem  [49],  who  showed  that  Presburger  arithmetic  becomes 
IIj -complete  with  the  addition  of  a  single  unary  predicate. 

Dense  TPTL 

Another  possible  direction  to  extend  the  expressive  power  of  TPTL  is  to  relax  its  semantics 
by  adopting  a  dense  time  domain;  that  is,  between  any  two  given  points  in  time  there  is 
another  time  point.  We  show  that  the  resulting  lope  is,  again,  highly  undecidable. 

Theorem  3.9  (Dense  TPTL)  If  TPTL  is  interpreted  over  the  rational  numbers  (t.c., 
TIME  =  Q),  the  satisfiability  problem  becomes  El-complete. 

Proof  of  Theorem  3*9  The  proof  depends,  once  more,  on  the  ability  to  copy  groups 
of  r-states.  This  time,  we  are  able  to  have  the  ife-th  configuration  of  a  computation  of  Jkf 
correspond,  for  all  i  >  0,  to  the  finite  sequence  of  states  that  is  mapped  to  the  time  interval 
[i,  k  -h  1),  because  dense  time  allows  us  to  squeeze  arbitrarily  many  states  into  every  interval 
of  length  1.  Again,  we  identify  every  state  with  a  unique  time,  and  can  then  establish  a 
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one-to-one  correspondence  of  fj-states  (;  =  1,2)  at  time  t  and  time  t  -f  1.  In  fact,  we 
may  simply  replace  all  occurrences  of  multiplication  by  2  in  the  Presburger-TPTL  formula 
encoding  the  recurring  computations  of  Jkf ,  by  a  successor  operation,  in  order  to  obtain  the 
desired  dense- TP  TL  formula  Q 

This  proof  goes  through  for  any  time  domain  (T,  -<,  5)  such  that  (T,  -<)  is  a  dense  linear 
order,  and  5  is  a  unary  function  over  T  that  satisfies  the  following  two  first-order  axioms: 

Vz.x  <  5(z), 

Vx,y.{x<y  -»  S(i)-:S(y)). 

To  show  that,  for  arbitrary  dense  time  domains,  the  satisfiability  problem  is  in  a  stan- 
dard  Lowenheim-Skolem  argument  is  necessary  to  infer  the  existence  of  countable  models. 
It  follows,  in  particular,  that  the  validity  problem  for  TPTL  is  Hj-complete  in  the  analog- 
clock  model. 

3.5.2  The  classical  theory  revisited:  Undecidable  extensions 

Now  we  justify  our  claim  that  “the”  classical  theory  of  timed  state  sequences  builds  on  the 
theory  (N,<,  =)  of  time.  The  reason  is,  once  again,  that  more  expressive  theories  of  time 
cause  nj -hardness.  In  fact,  the  proof  technique  of  encoding  2-counter  machines  is  extremely 
robust  and  can  be  used  to  show  that  a  wide  variety  of  real-time  specification  languages  with 
an  expressive  power  greater  than  that  of  jCj  have  highly  imdecidable  decision  problems. 
This  suggests  that  we  have  been  able  to  characterize  an  intrinsic  boundary  between  the 
decidability  and  undecidability  of  formalisms  that  combine  propositional  reasoning  about 
state  sequences  with  first-order  reasoning  about  time. 

Theorem  3.10  (Undecidable  theories  of  real  time)  The  validity  problems  for  the  fol¬ 
lowing  two-sorted  first-order  theories  are  Ul-complete: 


1 

state  theory 

time  theory 

time  fanction 
{from  states  to  time) 

1 

(N,<) 

(N,+l) 

f 

r 

(N,<)  vnth 
monadic  predicates 

(N,.2) 

identity  f 
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state  theory 

time  theory 

time  function 
{from  states  to  time) 

s 

vnth 

monadic  predicates 

dense  linear  order  (D,-<) 
with  ^‘successor^  S: 
z  <  S{z) 

z  -<y  -*  5(*)  -<  5(y) 

strictly  monotonic  f 

4 

(N,<)  with 
monadic  predicates 

(N,+l) 

identity  f  and 
strictly  monotonic  f 

Proof  of  Theorem  S.IO  First,  we  observe  that  the  satisfiability  of  a  formula  ^  can, 
in  all  cases,  be  phrased  as  a  Ej -sentence  that  asserts  the  existence  of  a  model  for  <f>.  In 
Case  3,  the  Lowenh eim- Skolem  theorem  ensures  the  existence  of  countable  models.  Thus  the 
satisfiability  problem  is  in  hi  each  case.  To  prove  -hardness,  we  use  again  Lemma  3.2; 
that  is,  we  show  that  the  satisfiability  problem  of  a  language  is  Ej-hard  by  constructing  a 
formula  such  that  (f>M  is  satisfiable  iff  a  given  nondeterministic  2-comitcr  machine  M 
has  a  recurring  computation. 

(1)^(3)  Ej-hardness  of  the  cases  1  through  3  follows  immediately  from  the  proofs  of 
the  Theorems  3.7,  3.8,  and  3.9,  respectively.  The  TPTL-formulas  that  are  given  there  to 
the  encode  computations  of  M  can  be  directly  translated  into  classical  first-order  formulas 
that  satisfy,  in  each  case,  the  required  restrictions.  For  example,  in  case  1  the  result 
of  the  translation  Classico  uses  only  the  successor  primitive  over  time  and  no  xmaxy 
predicates. 

(4)  This  case  corresponds  to  having  two  time  bases  (or  “clocks”)  /  and  f  that  are 
updated,  from  one  state  to  the  next,  independently  of  each  other.  The  result  hcdds  already 
for  the  special  case  in  which  /  is  the  identity  function  and  f  is  strictly  increasing. 

The  encoding  of  Jlf-computations  is  very  similar  to  the  one  used  in  the  proof  of  The¬ 
orem  3.8  to  establish  the  Ej-hardness  of  case  2.  We  use  the  unary  predicates  Pi,..  .pn> 
ri,  and  rs  and  require  that  it  most  one  of  these  predicates  is  true  of  any  state;  hence  we 
may  identify  states  with  predicate  symbols.  The  configuration  (/,c,d)  of  JIf  is  represented 
by  a  sequence  of  2*  states  in  the  time  interval  [2*,  2^"^^)  that  starts  with  a  p/-state,  and 
contains  precisely  c  ri-states  and  d  r^-states.  Even  though  the  assertion  language  does  not 
include  the  primitive  of  multiplication  by  2,  which  is  used  to  copy  states,  multiplication 
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by  2  can  be  simulated  with  the  help  of  the  second  time  function  /^  This  can  be  done  by 
restricting  ourselves  to  interpretations  in  which  f\i)  =  2i  for  all  i  >  0,  which  is  enforced 
by  the  formiila 

f(0)  =  0  A  Vt.(/'(t  +  l)  =  /'(i)  +  2). 


This  theorem  demonstrates  that  extending  the  syntax  or  semantics  of  Ct  in  one  of  any 
number  of  directions  causes  tremendous  undecidability.  On  the  other  hand,  we  have  shown 
that  the  congruence  primitives  over  time  can  be  added  to  the  language  without  sacrificing 
decidability.  Furthermore,  we  have  proved  decidability  for  the  second-order  case  of  as 
well.  Thus  we  claim  that  the  first-order  theory  of  (N,  <)  with  monadic  predicates  (for  state 
sequences)  combined  with  the  theory  of  (N,<,=)  (for  time)  is  the  theory  of  timed  state 
sequences. 

3.5*3  Decidability  versus  undecidability  in  real-time  logics 

Let  us  consider  the  wide-ranging  implications  of  Theorem  3.10  for  designing  real-time  spec¬ 
ification  languages.  We  look  at  the  ramifications  of  all  four  cases  of  the  theorem.  The  fact 
that  the  monotonicity  constraint  on  the  time  function  is  required  for  decidability  (case  1) 
has  little  consequences  in  the  context  of  real-time  logics,  because  we  are  interested  only  in 
monotonic  time  functions  anyway. 

Choosing  the  domain  of  time 

When  devising  a  real-time  logic  we  need  to  select  an  appropriate  mathematical  domain  to 
represent  time.  Ideally,  to  model  systems  whose  state  changes  can  occur  arbitrarily  close 
in  time,  we  like  to  choose  a  dense  linear  order,  such  as  the  analog-clock  model.  Since  the 
ordering  predicate  and  addition  by  constant  time  values  are  the  basic  primitives  needed  to 
express  the  simplest  of  timing  constraints,  the  undecidability  of  the  resulting  theory  (case  3) 
is  a  major  stumbling  block  in  the  design  of  useful  logics  over  dense  time.  In  fact,  a  close 
inspection  of  our  proof  reveals  that  even  the  satisfiability  of  a  very  simple  class  of  real-time 
properties  is  undecidable  in  the  analog-clock  model:  the  only  timing  constraints  required 
to  copy  sequences  of  states  are,  using  the  notation  of  MTL,  of  the  form 


□©>0  true, 
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so  that  any  time  identifies  a  unique  state,  and  of  the  fonns 

□(p  -  0^1  qh  (t) 

to  assert  that  “every  p-state  is  followed  by  a  ^-state  precisely  1  tizne  unit  later”  and  “every 
g-state  is  preceded  by  ap-state  1  time  unit  earlier.”  Observe  that  with  an  interval  semantics, 
the  latter  (past)  formula  is  not  even  needed.  It  follows  our  techniques  can  be  used  to  show 
that  MTL  is  undecidable  in  the  analog-clock  model: 

Theorem  3.11  (Dense  MTL)  If  MTL  is  interpreted  over  a  dense  linear  order,  the  saU 
isfiability  problem  becomes  E\-complete. 

Similar  undecidability  results  can  be  obtained  for  the  MTL-like  branching-time  logics 
considered  by  Alur,  Courcoubetis,  and  Dill  [7]  and  by  Lewis  [82],  both  of  which  use  an 
interval  semantics  over  the  set  of  real  numbers  to  model  time. 

There  are  two  options  to  escape  the  predicament  that  is  caused  by  this  trade-off  between 
the  realistic  modeling  of  time  and  the  ability  to  verify  timing  properties: 

1.  We  have  adopted  the  semantic  abstraction  that,  for  every  observation,  we  may  record 
only  a  discrete  approximation  —  the  number  of  ticks  of  a  digital  clock  —  to  the  “real,” 
physical  time.  We  have  justified  this  decision  by  identifying  the  circumstances  under 
which  verification  in  the  digital-clock  model  is  both  sound  and  complete;  in  Part  2  of 
this  thesis  we  will  develop  concrete  verification  techniques  imder  the  assumption  of  a 
discrete  time  doznain. 

2,  A  r<  lent  result  has  opened  the  interesting  alternative  of  a  viable  syntactic  concession. 
We  have  shown  that  MTL  without  singular  intervals  (i.e.,  intervals  of  the  form  [c,  d\ 
for  c  s  d)  as  subscripts  of  the  temporal  operators  can  be  decided  in  EXPSPACE 
even  in  the  analog-clock  model  [9].  This  syntactic  restriction  of  MTL  ensures  that 
the  time  difference  between  two  state  changes  can  be  enforced  only  with  finite  (yet 
arbitrary)  precision;  in  particular,  it  rules  out  the  specification  of  the  punctuality 
requirement  (f).  Note  that  (f)  is  not  equivalent  to  the  stronger  demand 


□(p  □<!  -tg)  A  D(p  0<i  g) 
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that  ‘‘every  jvstate  is  followed  by  a  g-state  no  sooner  and  no  later  than  after  1  time 
unit,”  which  can  be  expressed  without  singular  time  intervals.  We  do  not  have  the 
space  to  pursue  this  approach  here  and  instead  refer  the  interested  reader  to  the 
original  paper. 

Choosing  the  operations  on  time 

Having  constrained  ourselves  to  the  discrete  time  domain  of  the  digital- clock  model,  we  need 
to  choose  the  operations  on  time  that  are  admitted  by  a  real-time  specification  langu^e. 
We  have  proved  (case  2)  that  the  addition  of  time  variables  causes  undecidability.  In  fact, 
using  our  residts  and  techniques,  we  can  show  the  11^ -hardness  of  various  real-time  logics 
that  have  been  proposed  in  the  literature,  such  as  the  logics  of  Jahanian  and  Mok  [63], 
Pnueli  and  Harel  [110],  Ko3rmans  [71],  and  [104],  all  of  which  include  addition  as  a  primitive 
operation  on  time.  This  list  demonstrates  vividly  that  it  has  not  been  understood  until 
recently  how  expressive  a  theory  of  time  may  be  added  to  reasoning  about  state  sequences 
without  sacrificing  decidability.  Harel,  Lichtenstein,  and  Pnueli  proved  later  the  decidability 
of  a  fragment  of  what  we  called  “real-time  temporal  logic”  that  permits  the  addition  of  time 
variables  [54].  This  decidable  fragment  XCTL  (for  “explicit-clock  temporal  logic”)  puts, 
however,  such  substantial  restrictions  on  the  use  of  time  quantifiers  that  it  is  not  closed 
under  complementation. 

The  real-time  logic  RTL  of  Jahanian  and  Mok  can  be  viewed  as  a  two-sorted  logic  with 
multiple  monotonic  functions  from  the  state  sort  to  the  time  sort.  Our  results  (case  4) 
imply  that  RTL  is  txndecidable,  even  if  we  restrict  its  syntax  to  allow  only  the  successor 
primitive  over  time  (RTL  allows  addition  over  time). 
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Chapter  4 

Finite-state  Verification 


We  present  algorithms  for  checking  if  a  formula  ^  of  TPTL  or  MTL  holds  over  all  runs 
of  a  finite-state  timed  transition  system  5.  The  algorithms  use  a  technique  called  model 
checkiTig:  they  construct  a  finite  graph  —  a  “tableau”  —  that  represents  all  models  of 
the  formula  ^  and  comp  re  it  to  the  finite  graph  that  represents  all  possible  runs  of  the 
system  5.  Thus  model  checking  is  applicable  only  to 

1.  logics  that  have  the  finite-model  property;  that  is,  if  a  formula  is  satisfiable,  then  it 
is  satisfiable  in  a  finite  model.  Although  timed  state  sequences  are  infinite  structures 
over  an  infinite  time  domain,  in  Chapter  3  we  have  shown  that  for  any  given  formula  ^ 
of  TPTL  or  MTL,  the  infinitary  timing  information  in  a  model  of  ^  can  be  encoded 
by  finitely  many  time-difference  and  time-congruence  propositions.  Moreover,  we 
have  seen  that  the  properties  that  are  definable  in  TPTL  and  MTL  are  regular, 
which  implies  that  every  model  of  ^  is  “eventually  periodic"  and  can  be  obtained  by 
unrolling  a  finite  structure.  We  will  use  both  observations  to  represent  all  models  of 
the  formula  ^  by  a  tableau  whose  sire  is  doubly  exponential  in  the  length  of 

2.  finite-state  systems;  that  is,  transition  systems  whose  state  graphs,  which  encode  the 
consecution  (i.e.,  next-state)  relation,  are  finite.  We  will  extend  the  notion  of  finite- 
state  system  to  timed  transition  systems  that  can  be  represented  by  finite  graphs. 


Since  both  TPTL  and  MTL  are  undecidable  in  the  analog-clock  model  (see  Section  3.5),  we 
restrict  ourselves  to  the  digital-clock  model  for  model  checking  (i.e.,  TIME  ^  N  throughout 
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this  chapter).  A  model-checking  algorithm  for  a  decidable  fragment  of  analog  MTL  was 
presented  elsewhere  [9]. 

The  first  step  of  the  model-checking  process  yields,  as  a  by-product,  decision  procedures 
for  TPTL  and  MTL:  a  formula  ij>  is  valid  iff  the  tableau  that  represents  all  models  of  the 
negated  formula  -^<f>  does  not  contain  any  timed  state  sequences.  While  being  elementary, 
the  tableau-based  decision  procedures  for  TPTL  and  MTL  are  still  quite  expensive;  they 
run  in  doubly  exponential  time.  We  show  that  this  cost  is,  however,  intrinsic  to  real¬ 
time  reasoning:  any  reasonably  succinct  and  reasonably  expressive  extension  of  PTL  is 
necessarily  EXPSPACE-hard. 


4.1  Deciding  Timed  Temporal  Logic 


We  present  a  doubly-exponential-time,  tableau-based  decision  procedure  for  TPTL  and 
show  that  the  decision  problem  for  TPTL  is  EXPSPACE-complete.  This  result  establishes, 
as  we  have  promised  in  Chapter  3,  that  TPTL  corresponds  to  an  elementary  fragment  of  the 
nonelementary  first-order  language  Ct-  We  then  integrate  the  grammar  operators  of  TETL 
into  the  tableau  method.  In  Section  4.3,  we  will  demonstrate  how  the  tableau  techniques 
can  be  applied  to  verify  TETL-properties  of  finite-state  timed  transition  systems. 


4.1.1  Timed  tableaux 

First  observe  that  to  solve  the  validity  problem  for  a  formula,  it  suffices  to  check  if  its 
negation  is  satisfiable.  Throughout  this  subsection,  we  are  pven  a  formula  ^  of  TPTL 
and  wish  to  determine  iff  ^  is  satisfiable.  The  tableau  method  searches  systematically  for 
a  model  of  <f>.  It  originated  with  the  propositional  calculus  (consult  [120]),  was  extended  to 
modal  logics  (consult  [39]),  and  was  first  applied  to  obtain  a  decision  procedure  for  a  logic 
of  computation  by  Pratt  [111].  We  follow  the  standard  presentation  of  the  tableau-based 
decision  procedure  for  PTL  [18, 130]  and  begin  by  constructing  the  initial  tableau  for 
Checking  the  satisfiability  of  ^  can  then  be  reduced  to  checking  if  the  finite  initial  tableau 
for  contains  certain  infinite  paths.  The  tableau  method  for  PTL  is,  in  fact,  subsumed  by 
our  procedure  as  the  special  case  in  which  ^  contains  no  timing  constraints. 
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Prelimiiiary  assumptions 


For  the  moment,  we  assume  that 

1.  ^  contains  no  absolute  time  references;  that  is,  every  term  in  ^  contains  a  variable. 
Thus  we  may  perform  simple  arithmetic  manipulations  so  that  all  timing  constraints 
in  are  of  the  form  «  <  y+c  or  x  +  c  <  y  or  «  S(f  y+c,  for  natural  numbers  d  >  c  >  0. 

2.  <f>  contains  only  the  temporal  operators  Q  that  is,  the  first  argument  of  every 

occurrence  of  the  until  operator  W  in  ^  is  true. 

While  neither  of  the  two  restrictions  is  essential,  they  simplify  the  exposition  of  the  decision 
procedure  greatly.  Later  we  will  show  how  to  accommodate  absolute  time  references,  the 
until  operator,  and  even  general  grammar  operators.  We  also  assume  that  ^  is  of  the  form 
2, if  necessary,  this  can  be  easily  achieved  by  prefixing  ^  with  any  variable  2  that  does 
not  occur  freely  in  <t>. 

Let  us  say  that  an  infinite  timed  state  sequence  p  =  (^,T)  is  A«ba«nded,  for  a  constant 
A€N,ilf 

<  Ti  <  Ti«.i  +  A 

for  all  t  >  0;  that  is,  the  time  increases  from  a  state  to  its  successor  state  by  no  more 
than  A.  Recall  that  we  use  the  convention  that  T...1  =  0;  it  follows  that  the  absolute  time 
of  the  initial  state  of  a  A-bounded  timed  state  sequence  is  at  most  A.  To  begin  with, 
we  restrict  ourselves  to  A-boxmded  models  for  checking  satisfiability.  This  case  has  finite- 
state  character:  the  times  that  are  associated  with  states  can  be  modeled  by  finitely  many 
(new)  time-difierence  propositions  Prevs^  for  0  <  £  <  A,  that  represent,  m  the  initial  state, 
the  initial  time  6  and,  in  all  other  states,  the  time  increase  6  from  the  predecessor  state. 
Formally,  we  capture  the  (state  and)  time  information  in  a  timed  state  sequence  p  =  (^,T) 
by  the  state  sequence  &  with 


for  all  t  >  0.  This  reduction  of  timed  state  sequences  to  state  sequences  allows  us  to  adopt 
the  tableau  techniques  for  PTL.  Later,  we  show  how  we  can  find  an  appropriate  constant  A 
for  the  given  formula  4>- 
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Updating  timing  constraints 

The  key  observ^ation  imdcrlying  the  tableau  method  for  PTL  is  that  any  formula  can  be 
split  into  two  conditions:  a  non- temporal  (“present”)  requirement  on  the  initial  and  a 
temporal  (“future”)  reqtxirement  on  the  rest  of  the  model  (i.e.,  the  successor  state).  For  ex¬ 
ample,  the  eventuality  can  be  satisfied  by  either  or  0^^  being  true  in  the  initial  state. 
Since  the  number  of  conditions  generated  in  this  way  is  finite,  checking  for  satisfiability  is 
reducible  to  checking  for  satisfiability  in  a  finite  structure,  the  initial  tableau. 

The  splitting  of  TPTL-formulas  into  a  present  and  a  future  (next-state)  condition  de¬ 
mands  more  care;  to  obtain  the  requirement  on  the  successor  state,  all  timing  constraints 
need  to  be  updated  appropriately  to  account  for  the  time  increase  6  from  the  initial  state 
to  its  successor.  Consider,  for  example,  the  formula  x.Oy.t&(ac,y),  and  recall  that  the  free 
occurrences  oizmip  Bst  references  to  the  initial  time.  This  eventuality  can  be  satisfied  ei¬ 
ther  by  having  the  initial  state  satisfy  y.  t!^(y,y),  with  all  free  occurrences  of  x  in  ^  replaced 
by  y,  or  by  having  the  next  state  satisfy  the  updated  eventuality  “x.Oy.  ti>(x  -  5,y).”  For 
f  >  0,  a  naive  replacement  of  x  by  x  -  5  would,  however,  successively  generate  infinitely 
many  new  conditions.  Fortunately,  the  monoionicity  of  time  can  be  exploited  to  keep  the 
tableau  finite;  the  observation  that  y  is  always  instantiated,  in  the  “future,”  to  a  value 
greater  than  or  equal  to  the  initial  time  x,  allows  us  to  simplify  timing  assertions  of  the 
form  X  <  y  +  (c  +  1)  and  y  +  (c  -h  1)  <  x  to  true  and  /oise,  respectively. 

We  define,  therefore,  the  TPTL-formula  x.^(r)^  that  results  from  updating  all  ref¬ 
erences  in  to  the  initial  time  x  by  the  time  difference  5,  For  instance,  H  x.tp  is  the 
formula 

X. Dy.(p  -♦  y.y  <  X  +  5), 

then  X.  x.xp^y  and  x.  are  the  following  formulas: 

x.Dy.(p  y.y<x), 
x.Dy.  (p  — ►  false). 

In  general,  given  a  TPTL-formula  x-xp  and  f  €  IM,  the  TPTL-formula  x.-^^  is  defined 
inductively  as  follows: 

•  equals  x.^. 
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•  X,  results  from  r.  by  replacing  every  term  of  the  form  x  -f  (c  -f  1)  with  x  +  c, 
and  eve!7'  subfcmmla  of  the  form  ar<y-i-c,  y-hc<x,  and  x  y  -I-  c  with  true, 
false,  and  x  y  -f  ((c  +  1)  mod  d),  respectively,  provided  that  the  occurrence  of  x 
in  the  specified  terms  and  formulas  is  free  in 

The  following  lemma  confirms  that  this  transibnnation  has  the  intended  effect  and  updates 
all  time  references  correctly;  that  is,  the  formula  x,  xp^  expresses  the  condition  “x.  xp{z  -  ^)  ” 

Lemma  4,1  (Time  step)  Lei  p  =  (tr,T)  be  a  timed  state  sequetice  and  ^  €  N  such  that 
6  <  To.  Then  p  j=  x.-0^  iff  p  xp  for  every  formula  x.  rp  of  TPTL. 

Proof  of  Lemma  4.1  The  proof  proceeds  by  a  straightforward  induction  on  the  structure 
ofxp.  ■ 


Closure  of  a  TPTL-formuJa 

We  collect  all  conditions  that  may  arise  by  recursively  splitting  a  formula  ^  into  its  present 
and  future  parts  in  the  closure  of  It  suffices  to  define  the  closure  only  for  formulas 
whose  outermost  symbol  is  a  freeze  quantifier.  The  closure  set  CZo5vr€{z.  of  the  TPTL- 
formula  x.  is  the  smallest  set  of  formulas  containing  z.  (p^  that  is  closed  under  the  following 
operation  Svb: 

Sub{z,{xpi  ^2))  = 

Sub{z.  QxP)  =  {x.^|«>0}, 

Sti6(x.  -  {2^xp,z,  QDip}, 

Sub{z.x,xp)  =  {z.^[x:=x]}, 

where  the  TPTL-formula  xp[x  :=  z]  results  from  xp  by  replacing  all  free  occurrences  of  x 
with  2.  Note  that  aU  formulas  in  a  closme  set  are  of  the  form  2.  xp. 

We  say  that  a  constant  c>  0  occurs  in  the  TPTL-formula  ^  iff  ^  contains  a  subfonnula 
of  the  form  x  <  y +  (c- 1)  or  x  +  (c-  1)  <  y,  or  contains  the  predicate  symbol  Let  C 
be  the  largest  constant  that  occurs  in  the  formula  The  closure  set  of  ^  is  finite,  because 
2.  xp^  is  2.  xp^  for  all  formulas  z,xp  in  Closure{(p)  and  all  ^  >  C.  The  size  of  the  closure  set 
of  depends  on  both  the  structure  of  <p  and  the  constants  that  occur  in 


150 


CHAPTER  4.  FINITE-STATE  VERIFICATION 


Lemma  4.2  (Size  of  closure)  Let  n  -  1  be  the  number  of  boolean,  temporal,  and  freeze 
operators  in  the  formula  4>  of  TPTL,  and  let  k  be  the  product  of  all  constants  that  occur 
in(j>.  Then  |CZosttre(i^)|  <  2nife. 

Proof  of  Lemma  4.2  Given  a  TPTL-fonnula  z.  we  deiine,  by  induction  on  the 
structure  of  (p',  the  set  of  formulas  that  contains  d>'  and  is  closed  xinder  updating  of 
timing  constraints,  the  set  C^'  is,  in  addition,  closed  under  subformulas; 

Cp  =  Dp  =  {p}, 

Cx<p+e  =  Dx<y+e  =  {*  <  »  +  c,i  <  y  +  (c  -  1),.  ..I  <  y}, 

C*=<v+<:  ~  ^*=ty+e  —  {®  y  +  (^  ~  1))*  y  +  (d  —  2),. .  y}, 

C^  "  C^  U  C^  U  D^^  > 

Dq*  = 

Coifi  =  U  Do^  U  Dqo^,  Dc<^  =  OD^, 

Cx.4>  =  C'^[*:=*]  U  I?x. Dx.i  = 

Here  x.E  =  {z.tp  \  tp  ^  E)  for  any  set  E  of  formulas;  the  other  operators  are  applied  to 
sets  in  an  analogous  fashion.  The  case  of  formulas  of  the  form  i  +  c  <  y  is  treated  similarly 
to  the  timing  constraints  *  <  y  +  c.  Furthermore,  let  E’  =  E\J  {true, false). 

Observe  that  C  C^.  It  is  straightforward  to  show,  by  induction  on  the  structure 
of  <p,  that 

(1)  <P'  €  D^t  and,  hence,  d>'  €  C^. 

(2)  For  all  5  >  0,  z.  €  z.  and,  therefore,  z.  <p'*  e  z.  C^,. 

(3)  z.  C^t  is  closed  under  Sub  (use  (2)). 

From  (1)  and  (3)  it  follows  that  Closure{z.(p')  C  z.C^.  Thus,  it  suffices  to  show  that 
\D^>\  <  k  and  |C^/|  <  2nfc,  which  may  again  be  done  by  induction  on  the  structure  of  B 

Initial  tableau  of  a  TPTL*formula 

Tableaux  for  TPTL  are  finite,  directed  state  graphs  (Kripke  structures)  with  local  and 
global  consistency  constraints  on  all  vertices.  Unlike  the  states  of  a  timed  state  sequence, 
the  vertices  of  a  tableau  contain  not  only  propositions,  but  are  annotated  with  arbitrary 
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formulas  of  TP  XL.  Since  the  set  of  propositions  that  labels  a  vertex  determines  a  state,  we 
shall  informally  refer  to  the  vertices  of  a  tableau  themselves  as  “states,”  provided  this  usage 
does  not  give  rise  to  ambiguities.  The  set  of  TPTLr formulas  that  labels  a  vertex  of  a  tableau 
is  dosed  under  “subformulas”  and  its  members  express  conditions  on  the  annotated  state 
and  its  successor  states.  Every  vertex  contains,  in  addition,  a  time*diirerence  proposition 
Prevsi  where  0  <  S  <  A,  that  denotes  the  time  increase  from  the  predecessor  states. 

Formally,  we  define  the  vertices  of  a  tableau  for  ^  as  the  maximally  consistent  subsets 
of  the  finite  universe 


Closttrc’“(^)  =  Closure{(f>)  U  {Prer;  |  0  <  ^  <  A} 

of  TPTL-formulas.  First,  we  put  together  all  requirements  for  local  consistency.  A  subset  # 
of  Closure* {<f>)  is  (maximally)  consistent  iff  it  satisfies  the  following  conditions,  where  all 
formulas  range  only  over  the  finite  set  Closure* {(f>): 

•  Prev^  is  in  $  for  predsely  one  0  <  ^  <  A;  this  ^  G  N  is  referred  to  sis 

•  z.  (z  ~  z  -f  c)  is  in  §  iff  0  c  holds  in  the  natural  numbers  (for  ~  being  one  of  <,  >, 
and  =d). 

•  2,  false  is  not  in 

•  z.  (^1  — ♦  ^2)  is  in  $  iff  either  z.  -01  is  not  in  $  or  z.  02  is  in  $. 

•  z.  00  is  in  #  iff  both  z.  0  and  z.  Q  are  in  §. 

•  Z.X.0  is  in  $  iff  z.  0[z  :=  z]  is  in 

Now  we  are  ready  to  define  the  initial  tableau  of  a  formula  in  a  way  that  ensures  the 
global  consistency  of  both  temporal  and  real-time  constraints.  The  initial  tableau  T{4>) 
for  the  TPTL-formula  0  is  a  directed  graph  whose  vertices  arc  the  consistent  subsets 
of  Closure*{4>)i  which  contains  an  edge  from  $  to  $  iff,  for  all  formulas  2,  Q  in 
Closure*  (0), 

z.  0  ip  e  i  iff  Z.0^»  6 


The  significance  of  che  (finite)  initial  tableau  7(0)  for  the  formula  0  is  that  every  model 
of  0  corresponds  to  an  infinite  path  through  7(0)  along  which  all  eventualities  are  satisfied 
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in  time,  and  vice  versa.  This  implies  a  finite-model  property  for  TPTL,  in  the  sense  that 
every'  satisfiable  TPTL- formula  <f>  is  satisfiable  by  a  model  whose  state  part,  extended  by 
the  time-difference  propositions  Prevs,  does  not  only  consist  of  no  more  than  finitely  many 
distinct  states,  but  is  eventually  periodic.  To  be  precise,  we  say  that  an  infinite  path 

i  io  ^2  —*  •  •  • 

through  a  tableau  is  a  tfhpath  iff  it  satisfies  the  following  three  conditions: 

Initiality  ^  €  $o- 

Fairness  All  eventualities  are  satisfied  along  §  in  time  or,  equivalently,  all  missing  invari¬ 
ances  are  violated  along  §  in  time;  that  is,  for  all  z.  Oip  e  Closure'{<^)  and  t  >  0, 

implies  for  some  y  >  t  with  S  = 

i<k<j 

Progress  S^.  >  0  for  infinitely  many  t  >  0. 

We  can  characterise  the  length  of  ^paths  in  the  initial  tableau  for  ^  by  reducing  every  ^ 
path  to  a  special  form.  The  following  lemma  shows  that  every  ^path  is  eventually  periodic 
and  bounds  the  length  of  the  period.  This  will  prove  to  be  important  to  obtain  an  upper 
bound  cm  the  complexity  of  TPTL. 

Lemma  4.3  (Length  of  ^paths)  Suppose  that  the  initial  tableau  T{4i)  for  the  formula 
<t>  of  TPTL  conaisU  ofm  vertices.  If  r(^)  contains  a  <f>-path,  then  it  exmtains  a  4>-pa1h  of 
the  form 

*0  -*  §1  - - (#.+i  - - -  $;)«- 

for  I  <  (2n  +  l)m,  where  n  is  the  number  of  temporal  operators  in 

Proof  of  Lemma  4.3  Consider  the  infinite  ^path  $  =  §o^i-  •  • ,  and  choose  *  to  be  the 
smallest  j  such  that  occurs  infinitely  often  in  i.  Now  lacks  at  most  n  invariances 
X.  QV'fc,  each  one  of  which  is  violated  by  some  vertex  of  . . .  Let  =  $o  •  •  • 

^  and  for  all  1  ^  i  $  it,  be  finite  segments  of  i  that 

contain  no  other  (i.e.,  inner)  occurrences  of  Delete  any  loops  in  every  thus  obtaining 
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the  finite  sequences  for  0  <  j  <  2ti,  each  of  length  at  most  m+  1.  It  is  not  hard  to  see 
that  the  result  of  deleting  duplicated  vertices  (i.e.,  $<)  from 

is  a  ^path  of  the  desired  form.  Q 
Tableau  decision  procedure 

The  following  main  lemma  suggests  a  decision  procedure  for  TPTL:  to  determine  if  the 
TPTL-formula  4>  is  satisfiable,  construct  the  initial  tableau  T{4>)  and  check  if  it  contains 
any  ^paths. 

Lemma  4.4  (Initial  tableau  for  TPTL) 

(1)  [Correctness]  If  the  initial  tableau  T{<j>)  /or  Ihe  formula  (f)  of  TPTL  con¬ 
tains  a  <f>-path,  then  is  satisfiable. 

(2)  [Completeness]  If  <j>  has  a  A-bounded  model,  then  T(^)  contains  a  (fh-path. 

Proof  of  Lemma  4.4  The  proof  makes  essential  use  of  both  directions  of  the  time-step 
lemma,  Lemma  4.1. 

(1)  Given  a  ^path  §  =  •••  through  the  initial  tableau  T{4>),  define  the  timed 

state  sequence  p  —  such  that,  for  all  t  >  0,  p  €  Oi  iff  2.p  €  $i,  and  T,-  =  Tj_i  +  fj,. 
Note  that  the  time  sequence  T  satisfies  the  progress  condition  because  $  does.  We  show, 
by  induction  on  the  structure  of  that  ^  iff  p*  |=  V*  for  all  t  >  0  and  ^  €  Closure' {(!>). 
Since  €  $o>  it  follows  that  p  is  a  model  of 

For  a  proposition  z.p  €  Closure“{^),  we  have  z.p  €  iff  p  €  iff  P*  i=  z.p.  Let  —  be 
one  of  <,  >,  =j,  or  its  negation.  By  the  consistency  of  §<,  r.(z  ~  z  +  c)  €  iff  0  c  iff 
p*  1=  z.  (z  2  +  e).  This  completes  the  base  cases. 

By  the  consistency  of  #i,  z.(^  — »  €  §»  iff  either  z.ijfi  ^  or  z.^  €  §i.  By 

the  induction  hypothesis,  this  is  the  case  iff  either  p*  z.V^  or  p*  ]=  z.^;  that  is,  iff 
P*'  N  -*  ^)- 

Now  assume  that  z.  €  Closure'{4)  let  6  =  ;  that  is,  Tj+i  =  Ti  +  5.  Then 

0  V*  €  §t  iff  6  ^i+i-  By  the  induction  hypothesis,  this  is  the  case  iff  ^  z.^fr^. 
By  Lemma  4.1,  this  is  the  case  iff  p*+^  N(»:=T<]  is,  iff  p*  [=  z.  0  V’* 
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For  the  case  that  z.  Dip  6  Closure' {<p),  we  first  prove  that  z.  Dip  €  iffz.  ip'^3~'^'  g 
for  all  j  >  j.  Let  Sj  =  Jj  —  T,-  and  note  that  by  our  choice  of  T. 

We  use  induction  on  j  to  show  that  z.  Dip  g  $,•  implies  z.  Dip^i  6  §j  for  all 
j  >  i.  Suppose  that  z.  Dip*i  £  §j  for  an  arbitrary  j  >  i.  By  the  consistency 
of  also  z.  0  and  therefore  z.  Invoking  again  the 

consistency  of  f  j,  we  conclude  that  z.  ip^i  £  f  for  all  j  >  ». 

On  the  other  hand,  suppose  that  z.  Dip  ^  Since  $  is  a  ^path,  there  is 
some  j  >  i  such  that  z.ip^i  ^  $j. 

By  the  induction  h3rpothesis,  it  follows  that  z.Oip  €  iff  t=  2-tP^^  for  all  y  >  t.  By 
Lemma  4.1,  this  is  the  case  iff  l=[x:z=Ti]  ^  all  y  >  t;  that  is,  iff  p*  |=  z.  D^. 

Finally,  consider  the  case  that  z.z.ip  £  Closure'^tp).  In  this  case,  z.z.ip  £  §,•  iff 
z.  ip[z  :=  z)  £  By  the  induction  hypothesis,  this  is  the  case  iff  p‘  ^  z.  ip[z  :=  z];  that  is, 
iff  p*  1=  z.z.ip. 

(2)  Let  p  =  (ff,T)  be  a  A-bounded  model  of  (p.  The  subsets  for  i  >  0,  of  Closure' {4>) 
axe  defined  as  follows:  ^  ^»>  ^  ^  ii  iS  ^  ip  lot  ^  ip  £  Closure{<p).  We 

show  that  $  =  $0^1  •  ■  •  is  a  ^path  through  the  initial  tableau  T{<p), 

By  inspecting  the  consistency  rules,  it  is  evident  that  every  §,•  is  (maximally)  consistent. 
To  prove  that  $  is  an  infinite  path  through  r(^),  we  also  have  to  show  that  there  is  an  edge 
from  $,•  to  #,+i  for  all  t  >  0.  Suppose  that  z.  Q  ip  £  Closure'{(p)  and  let  S  =  Ti+1  - 
Then  2.  O  ^  €  §i  iff  p*  2.  0  iff  Lemma  4.1,  this  is  the  caso  iff 

p»+i  ^  ^  iff  2.^  €  $»+i.  Since  also  Prevs  €  §i+i,  the  initial  tableau  for  ^ 

contains  an  edge  from  §«  to  $«>!. 

We  now  show  that  the  infinite  path  $  is  indeed  a  ^path.  It  satisfies  the  progress 
condition  because  the  time  sequence  T  does.  To  see  that  ^  €  $09  observe  that  p  is  a  model 
of  It  remains  to  be  established  that  all  eventualities  in  $  are  satisfied  in  time.  Suppose 
that  2.  Dip  €  Closure* {4^)  and  2,  Dtp  ii\  that  is,  p*  |=  2.  O^tp  and  therefore  fp  [=[,.-7.] 
for  some  j  >  t.  Let  ^  =  Tj  —  T*;  thus  6  =.  Then  fp  2.-^  by  Lemma  4.1, 

which  implies  that  z,rp^  £  §j.  D 

The  usual  techniques  for  checking  if  a  tableau  contains  an  infinite  path  along  which  all 
eventualities  are  satisfied,  can  be  straightforwardly  adopted  to  check  if  the  initial  tableau 
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for  the  formula  <f>  contains  a  ^path:  first  mark  all  eventualities  that  are  trivially  satisfied, 
and  then  repeatedly  mark  the  eventualities  that  are  satisfied  in  successor  states.  The  state 
graph  that  remains  if  all  vertices  that  axe  not  on  a  ^path  are  deleted  from  is  called 
the  final  tableau  for  the  formula  (f>.  Hence  we  have  shown  that  a  TPTL-formula  ^  has  a 
A-bounded  model  iff  the  final  tableau  for  (p  is  not  empty. 

The  procedure  for  finding  the  final  tableau  is  pol3moxnial  in  the  size  of  the  initial  tableau, 
which  contains  0(A-2’^)  vertices,  each  of  size  O(nib),  where  n- 1  is  the  number  of  operators 
in  ^  and  ib  is  the  product  of  all  constants  that  occur  in  (p.  Thus,  provided  that  A  is  dominated 
by  2”*,  the  initial  T{<p)  can  be  constructed  and  checked  for  ^paths  in  deterministic  time 
exponential  in  ni.  We  show  next  that  A  can  indeed  be  bounded  by  i. 

Bounding  the  time  step-width 

Given  a  TPTL-formula  we  finally  determine  the  bound  A  on  the  time  increase  between 
two  successive  states  such  that  the  satisfiability  of  <p  is  not  affected;  that  is,  we  choose  the 
constant  A  €  N  such  that  <p  is  satisfiable  iff  it  has  a  A-botmded  model.  Let  c  be  the  largest 
constant  in  4>  that  occurs  in  a  subformula  of  the  form  «  <  y  +  (c  —  1)  or  x  -f-  (c  —  1)  <  y, 
and  let  =ej  >  •  •  •  =cm  ^  the  congruence  predicates  that  occur  in  If  the  time  increase  6 
between  two  states  is  greater  than  or  equal  to  c,  it  obviously  suffices  to  know  the  residues  of 
6  modulo  Cl, ...  Cm  iu  order  to  update,  in  a  tableau,  all  timing  constraints  correctly.  Indeed, 
for  checking  the  satisfiability  of  (p,  the  arbitrary  step-width  S  can  be  bounded  by  taking  the 
smallest  representative  for  each  of  the  finitely  many  congruence  classes. 

Lemma  4.5  (Bounded  time  increase)  If  the  formula  ip  of  TPTL  is  satisfiable,  then 
p\=:  ip  for  some  p  =  (c^,T)  mih  Tj  <  Tt«i  -f  k  for  aU^i  >  0,  where  k  is  the  product  of  all 
constants  that  occur  in  ip. 

Proof  of  Lemma  4.5  We  can,  in  fact,  derive  the  tighter  bound  c  -I-  4'  <  i,  for  the  least 
common  multiple  4^  of  all  c,*,  1  <  i  <  m.  Given  a  model  p  =  (^>T)  of  let  the  time 
sequence  T'  be  such  that,  for  all  t  >  0,  T*  =  +  (Ti  -  T^-i)  if  Tj+i  -  Ti  <  c;  else  choose 

TJ  to  be  the  smallest  ^  >  TJ  -h  c  with  6  =v  Tj.  It  is  easy  to  see  that  p'  =  (o*,!')  is  also  a 
model  of  B 

Combining  this  result  with  the  tableau  method  developed  above,  we  arrive  at  the  con¬ 
clusion  that  the  satisfiability  of  the  TPTL-formula  ^  is  decidable  in  deterministic  time 
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exponential  in  nk.  Moreover,  Lemma  4.3  implies  that  every  satisfiable  formula  (f>  is  satisfi- 
able  in  a  model  whose  si2e  is,  in  the  sense  mentioned  above,  exponentiaJ  in  nk.  Remember 
that  we  have  restricted  (l>  to  contain  no  until  operators  and  no  absolute  time  references.  We 
now  show  that  both  assumptions  can  be  relaxed. 

Until  operators 

First,  let  us  address  TPTL-formulas  that  include  until  operators.  We  take  the  closure  of  a 
formula  (f>  with  until  operators  to  be  closed  imder  the  operation 

Sub{2.{xpiU^2))  = 

and  add  the  following  condition  on  the  local  consistency  of  a  set  §  C  Closure'" {(f^)  of 
formulas: 

is  in  §  iff 

either  2.  is  in  $,  or  both  z.  xpi  and  z.  Q  {tpil(rp2)  are  in  §. 

Finally,  the  fairness  requirement  on  a  ^path  •  •  •  Is  generali2ed  to 

z.  {^iUrp2)  €  implies  z.  G  for  some  j  >  i  with  6 

for  all  i  >  0.  It  is  not  hard  to  see  that  the  Lemmas  4.2,  4.3,  4.4,  and  4.5  allow  the  addition 
of  until  operators  in  this  way. 

Absolute  time  references 

Secondly,  let  us  accommodate  absolute  time  references.  Instead  of  generalizing  the  tableau 
method  to  constant  terms,  which  contain  no  variable,  we  can  use  a  simple  observation. 
Suppose  that  we  test  the  TPTL-formula  (f>  for  satisfiability.  Let  x  be  a  variable  that  does 
not  occur  in  (f>  and  replace  every  variable-free  term  c  in  ^  by  the  term  x  +  c,  thus  obtaining 
the  new  formula  (which  may  contain  free  occurrences  of  x).  The  following  lemma  allows 
us  to  reduce  the  satisfiability  problem  for  (p  to  the  satisfiability  problem  for  the  formula 
*•  0  which  contains  no  absolute  time  references. 

Lemma  4.6  (Absolute  time  references)  A  formula  <p  of  TPTL  is  satisfiable  iff  the 
formula  x.  Q  ^  is  satisfiable^  where  x  does  not  occur  in  <p. 
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Proof  of  Lemma  4.6  (1)  Let  p  =  (<t,T)  be  a  timed  state  sequence.  We  define  the  timed 
state  sequence  p*  =  (cr'jT')  such  that  TJ,  =  0,  and  =  (Ti  and  =  T»  for  all  t  >  0. 
Clearly,  if  p  |=  then  p'  ^  Q 

(2)  Let  p  =  be  a  timed  state  sequence.  We  define  the  timed  state  sequence 

p'  =  ((/,T')  such  that  </■  =  ri+i  and  TJ  =  Ti^i  -  To  for  all «  >  0.  Clearly,  if  p  [=  x.  Q 
then  p^  1=  B 

Note  that  the  transformation  from  (f>  to  does  not  increase  the  number  of  operators 
in  <p  nor  the  product  of  all  constants  that  occur  in  (f>.  The  following  theorem  summarizes 
our  results  about  the  tableau  method. 

Theorem  4.1  (Deciding  TP  XL)  The  validity  problem  for  a  formula  if>  of  TPTL  can 
be  decided  in  deterministic  time  exponential  in  nk,  where  n  —  1  is  the  number  of  boolean, 
temporal,  and  freeze  operators  in  and  k  is  the  product  of  all  constants  that  occur  in 

Note  that  the  length  t  of  any  TPTL-formula  whose  constants  are  presented  in  a 
logarithmic  (e.g.,  binary)  encoding,  is  within  constant  factors  of  n  +  log  k.  Thus  we  have 
a  decision  procedure  for  TPTL  that  is  doubly  exponential  in  i  (although  only  singly  expo¬ 
nential  in  n,  the  “untimed”  part  and,  therefore,  singly  exponential  for  PTL).  The  algorithm 
we  have  outlined  can,  of  course,  be  improved  in  many  ways.  In  particular,  we  may  avoid  the 
construction  of  the  entire  initial  tableau  by  starting  with  the  initial  state,  which  contains 
and  successively  adding  new  states  only  when  needed  [130].  This  stepwise  procedure,  how- 
ever,  does  not  lower  the  doubly  exponential  deterministic-time  bound;  in  fact,  as  we  wJl 
show  in  the  following  subsection,  the  decision  problem  for  TPTL  is  EXPSPACE-hard. 

We  also  remark  that  while  the  monotonicity  condition  on  timed  state  sequences  is 
essential  for  the  tableau  method  to  work,  the  progress  condition  on  timed  state  sequences 
(and  ^paths)  can  be  omitted. 

4.1.2  Complexity  of  timed  temporal  logic 

We  prove  the  following  theorem,  which  establishes  TPTL  as  being  exponentially  harder  to 
decide  than  its  imtimed  base  PTL,  which  has  a  PSPACE-complete  decision  problem  [119]. 


Theorem  4.2  (Conqplexity  of  TPTL)  The  validity  problem  for  TPTL  is  EXPSPACE- 
complete  (tentA  respect  to  polynomial^time  reduction). 
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Proof  of  Theorem  4.2  The  proof  proceeds  in  two  parts;  we  first  show  tb  i  x  PTL  is  in 
EXPSP ACE,  and  then  that  it  is  EXPSPACE-hard.  The  first  part  follows  the  argument  that 
PTL  is  in  PSPACE,  which  builds  on  a  nondeterministic  version  of  the  tableau-based  decision 
procedure  [130];  the  hardness  part  is  patterned  after  the  proof  hy  Hopcroft  and  UUman 
that  the  universality  problem  of  regular  expressions  with  exponentiation  is  EXPSPACE- 
hard  [62]. 

[EXPSP ACE]  It  suffices  to  show  that  the  complementary  problem  of  checking  the  sat¬ 
isfiability  of  a  TPTL-formula  is  in  nondeterministic  EXP  SPACE  and,  hence,  by  Savitch’s 
theorem,  in  (deterministic)  EXPSPACE. 

In  particular,  it  can  be  checked  in  nondeterministic  singly  exponential  space  if  the  initial 
tableau  T{<f>)  contains  a  ^path  of  the  form  stated  in  Lemma  4.3.  In  trying  to  construct  such 
a  ^path  nondetenninistically,  at  each  stage  only  the  current  vertex,  the  “loop-back”  vertex, 
and  a  vertex  coimter  have  to  be  retained  in  order  to  construct  a  successor  vertex,  loop  back, 
or,  if  the  vertex  counter  exceeds  the  maximal  length  of  the  loop,  fail.  Since  both  the  sue  of 
each  vertex  and  the  length  of  the  loop  have,  by  Lemma  4.2  and  Lemma  4.3,  respectively, 
(singly)  exponential  representations  in  the  length  of  it  follows  that  this  nondeterministic 
procedure  requires  only  exponential  space. 

[EXPSPACE-hardness]  Consider  a  deterministic  2^-space-bounded  Turing  machine  M . 
For  each  input  X  of  length  n,  we  construct  a  TPTL-formula  ipx  of  length  0(n  •  log  n)  that 
is  valid  iff  M  accepts  X.  By  a  standard  complexity-theoretic  argument,  using  the  hierarchy 
theorem  for  space,  it  follows  that  there  is  a  constant  c  >  0  such  that  every  Turing  machine 
that  solves  the  validity  problem  for  TPTL-formulas  ^  of  length  I  takes  space  5(/)  >  ^ 

in&utely  often.  Thus  it  suffices  to  construct,  given  the  initial  tape  contents  Jf, 

1.  a  sufficiently  succinct  formula  that  describes  the  (unique)  computation  of  M  on 
X  as  an  infinite  sequence  of  propositions,  and 

2.  a  sufficiently  succinct  formula  4^ accept  that  characterires  the  computation  of  Jl/  on 
X  as  accepting. 

Then  the  implication 

<f>X  <l> ACCEPT 


is  valid  iff  the  machine  M  accepts  the  input  X. 
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We  use  a  proposition  p,-  and  a  proposition  qj  for  every  tape  s3Tnbol  i  and  macliine  state  j 
of  M,  respectively.  In  particular,  po  and  50  correspond  to  the  specisd  tape  symbol  “blank” 
and  the  initial  state  of  M.  We  use  the  following  abbreviations  for  formtilas: 

R:  Pi  A  t\i>^-'Pi>  A  A  “'Jr. 

nj-  Pi  A  qj  A  A 

s:  A  "'Pi'  A  A^'Ji- 

W'e  represent  configurations  of  M  by  Estate  sequences  of  length  2”  that  are  separated  by 
s-states;  the  position  of  the  read-write  head  is  marked  by  an  r-state.  The  computation  of 
Af  on  is  completely  determined  by  the  following  two  conditions: 

(1)  it  starts  with  the  initial  configuration,  and 

(2)  every  configuration  follows  from  the  previoris  one  by  a  move  of  M. 

Both  conditions  can  be  expressed  in  TPTL.  Take  (^x  to  consist  of  Ox.  Q  y-V  —  *  +  1> 
forcing  time  to  resemble  a  state  counter,  and  the  following  two  conjuncts,  which  correspond 
to  the  Ti  quirements  (1)  and  (2),  respectively: 

<f>ItriTlAL’  «  A  O»‘X,,0  A  I.  A2<<<n°y-(y  =  *  +  *  “♦  PXi)  A 
a:.Dy.(a:-f-n<y<  1-1-2"  -♦  A)). 

^MOVB’  (y  =  *  +  2"  -f  1  A  $))  A 

A  0<?  A  0  0-R  Oy-(y  =  *  +  2"  +  2  A 

Here  P,  Q,  and  R  each  range  over  the  propositions  pi,  rj,  and  i,  and  /ji/ (P, Q,  R)  refers  to 
the  transition  function  of  M.  For  instance,  if  M  writes,  in  state  j  on  input  t',  the  symbol 
k  onto  the  tape,  moves  to  the  right,  and  enters  state  j',  then  faiPijfi'jtPi")  —  Pk  and 
fit{n>jtPi”tPx>»)  =  V'j'- 

The  computation  of  Af  on  AT  is  accepting  iff  it  contains  the  accepting  state  P,  which  is 
expressible  in  TPTL  by  the  formula 

4>  ACCEPT-  0\/Tijr- 
% 

The  lengths  of  <l>mTiAL,  </>move,  and  4>accept  are  0{n-log  n),  0(n),  and  0(1),  respectively 
(recall  that  constants  are  represented  in  binary),  thus  implying  the  desired  0(n  •  log  n)- 
bound  far  i^x-  B 


I  f 
' 
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4.1.3  Timed  extended  temporal  logic 

By  putting  together  the  tableau  methods  for  ETL  [130]  and  TPTL,  we  develop  a  doubly- 
exponential- time  decision  procedure  for  TETL.  We  are  given  a  formula  ^  of  TETL  and 
wish  to  determine  if  ^  is  satisfiable.  For  the  sake  of  keeping  the  presentation  simple,  we 
assume  that  all  grammar  operators  in  ^  correspond  to  productions  of  the  form 

g(ai,. . .  a™)  —  Oi ,1  a,  .  ajJ. 

We  also  assume  that  ^  is  of  the  form  z.  (/>\  as  usual. 

First,  we  observe  that  the  Lemmas  4.1,  4.5,  and  4.6  hold  for  TETL  as  they  do  for 
TPTL.  It  follows  that 

Lemma  4.6  Absolute  time  references  can  be  handled  as  in  TPTL. 

7*emma  4.5  For  checking  the  satisfiability  of  we  may  restrict  ourselves  to  i-bounded 
timed  state  sequences,  where  k  is  the  product  of  all  constants  that  occur  in  All 
time  information  can,  therefore,  again  be  modeled  by  k  time-difference  propositions, 
Prev£  for  all  0  <  ^  <  i. 

L^r^ma  4.1  The  TETL-formula  z.^^  updates  all  references  in  z.^  to  the  initial  time  z 
by  the  time  difference  S, 

Next,  we  define  the  closure  for  grammar  operators.  The  closure  set  Clo3ure{z.  of  the 
TETL-formula  z.  is  the  smallest  set  of  formulas  containing  z.  (f>*  that  is  closed  under  the 
operation  Sub,  whose  effect  on  grammar  operators  is  defined  by  the  clause 

To  determine  the  number  of  symbob  in  a  TETL-formula,  we  count  grammar  operator  to 
contribute  the  number  of  nonterminal  symbob  in  the  corresponding  grammar.  For  this 
purpose,  we  say  that  a  nonterminal  symbol  occurs  in  a  TETL-formula  ^  iff  it  occurs  in  a 
grammar  that  b  denoted  by  a  grammar  operator  in  <p.  Let  n  —  1  be  the  number  of  boolean 
connectives,  freeze  quantifiers,  and  nonterminal  symbob  in  and  let  ib  i  be  the  product  of 
all  constants  that  occur  in  By  induction  on  the  structure  of  0,  we  can  show  the  analog 
to  Lemma  4.2  for  TETL,  namely  that 


|CZosttrc(^)|  <  2nk 
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for  every  TETL-formula  <j). 

The  universe  Closure'  {(p)  and  the  edge  relation  of  the  initial  tableau  T{<f>)  for  the  TETL- 
formula  4>  is  defined  c?  In  the  case  of  TPTL;  a  subset  §  of  Closure'{<t))  is  (maximally) 
consistent  iff  it  satisfies,  in  addition,  the  following  condition  on  grammar  operators: 

z.g{^i,...rpm)  is  in  $  iff 

either  z.  is  in  $,  or  both  z.  V’,-,  and  z.  Q  .  V'y,)  are  in  §. 

We  show  that  every  model  of  the  TETL-formula  4>  corresponds  to  an  infinite  path  through 
the  initial  tableau  T(<)>)  for  ^  along  which  all  eventualities  are  satisfied  in  time,  and  vice 
versa.  An  eventuality  “->2.  •  •  •  V>m)”  is  called  fulfilled  along  the  finite  path  §o^i  •  •  • 

through  a  tableau  iff  either  z.  ^  $o>  or  fc  >  1  and  ~'Z.Q\‘\lij^ , . . .  is  fulfilled  along 

the  path  $1  §2  •  •  •  An  infinite  path 

i  #0  ^1  ^2  ■ 

through  a  tableau  is  a  d^path  iff  it  satisfies,  in  addition  to  the  initiality  and  progress  con¬ 
ditions,  the  following /oirncss  requirement:  for  all  formtdas  z.Q{fi>it-'  bt  Closure'{<fi) 
and  all  s  >  0, 

if  •  •  •  i’m)  ^ii  tiie  eventuality  -‘Qi'ipi,  •  •  •  t^m)  is  fulfilled  along  some 
finite  segment  •••$*»  ^th  k  >  i,  of  $. 

By  combining  the  corresponding  arguments  for  ETL  and  TPTL,  we  can  prove  for  TETL 
both  Lemma  4.3,  which  bounds  the  size  of  models,  and  Lemma  4.4,  which  establishes  the 
correctness  of  the  tableau  construction.  Thus  we  have  a  decision  procedure  for  TETL: 

Lemma  4.7  (Initial  tableau  for  TETL)  The  formula  ^  of  TETL  is  saiisfiable  iff  the 
initicl  tableau  T{(t>)  for  <(>  contains  a  d>-pa1h. 

Since  the  initial  tableau  contains  0(jfe  •  2^)  vertices,  each  of  size  0{nk),  the  initial 
tableau  T{d>)  can  be  constructed  and  checked  for  ^paths  in  deterministic  time  exponential 
in  0(nl:).  It  follows  that 

Theorem  4.3  (Deciding  TETL)  The  validity  problem  for  a  formula  ^  of  TETL  can  he 
decided  in  deterministic  time  exponential  in  0(ni),  where  n—  1  u  the  number  of  connectives, 
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quantifiers,  and  nonterminal  symbols  in  (p,  and  k  is  the  product  of  all  constants  that  occur 
in  <p. 


Recall  that  a  nonterminal  s}Tnbol  is  counted  to  “occur”  in  a  TETL-fonnula  (p  even  if  the 
corresponding  grammar  operator  does  not  literally  occur  in  p,  but  the  nonterminal  symbol 
is  contain 'd  in  a  grammar  whose  starting  nonterminal  symbol  occurs  in  Also  note  that 
the  length  of  a  TETL-formula  whose  constants  are  represented  in  binary,  is  0(n  +  log  A). 
Consequently,  the  tableau-based  decision  procedure  for  TETL  is,  as  in  the  case  of  TPTL, 
doubly  exponential  in  the  length  of  the  input  formula  (although  only  singly  exponential  in 
n  and,  therefore,  singly  exponential  for  ETL). 

Complexity  of  TETL 

The  following  theorem  shows  that  TETL  is  no  harder  to  decide  than  TPTL. 

Theorem  4.4  (Complexity  of  TETL)  The  validity  problem  for  TETL  is  EXPSPACE- 
complete  {with  respect  to  polynomiaUtime  reduction). 

Proof  of  Theorem  4.4  (1)  To  show  that  TETL  is  in  EXPSPACE,  we  first  use  Lemma  4.3 
to  develop  a  nondeterministic  exponential-space  version  of  the  tableau  procedure  that  de¬ 
termines  if  a  TETL-formula  is  satisfiable,  and  then  apply  Savitch’s  theorem.  We  refer  to 
the  corresponding  proof  for  TPTL  for  details. 

(2)  The  EXPSPACE-hardness  of  TETL  follows  immediately  from  the  corresponding 
result  for  TPTL.  B 


4.2  Deciding  Metric  Temporal  Logic 

We  present  a  doubly-cxponential-time,  tableau-based  decision  procedure  for  MTL  and  show 
that  the  satisfiability  problem  for  TPTL  is  EXPSPACE-complete.  This  result  establishes 
that  the  decision  problem  for  MTL  is  equally  hard  as  the  decision  problem  for  TPTL, 
and  that  MTL,  too,  corresponds  to  an  elementary  fragment  of  the  nonelementary  first- 
order  language  £j.  In  Section  4.3,  we  will  demonstrate  how  the  tableau  techniques  can  be 
applied  to  verify  MTL-properties  of  finite-state  timed  transition  systems. 
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4.2.1  Metric  tableaux 

« 

The  tableau  algorithm  for  MTL  uses  the  techniques  that  we  have  developed  for  TPTL. 
The  crucial  propert}'  that  guarantees  the  finiteness  of  tableaux  is  that,  in  both  cases,  the 
temporal  precedence  between  any  two  temporal  contexts  that  are  related  by  a  timing  con¬ 
straint  is  uniquely  determined.  For  TPTL-formulas,  which  contain  only  future  operators, 
this  property  is  guaranteed  by  the  monotonicity  of  time;  for  MTLrformulas,  which  may 
contain  past  operators,  it  is  due  to  the  fact  that  MTL  can  relate  only  adjacent  temporal 
contexts. 

Before  giving  a  formal  definition  of  the  tableau  method  for  MTL,  we  indicate  first  how 
the  algorithm  proceeds  for  a  sample  input.  Suppose  that  the  time  increases  by  one  unit 
from  a  state  to  its  successor  (in  general,  the  time  increase  between  states  can  be  bounded 
for  any  given  formula,  and  thus  reduced  to  a  finite  number  of  different  cases).  In  order 
to  satisfy,  say,  the  formula  0<c  rp  in  the  current  state,  we  have  to  satisfy  either  tp  now,  or 
0<c-i  ^  in  the  succeeding  state.  Continuing  this  splitting  of  requirements  into  a  present 
and  a  future  part,  we  will  eventually  arrive  at  the  condition  0<i  ipy  which  forces  xp  to  be 
satisfied  in  the  current  state.  Since  every  input  formula  (p  generates  only  a  finite  number  of 
requirements  on  states  in  the  described  fashion,  xp  is  satisfiable  iff  it  is  satisfiable  in  a  finite 
tableau.  By  bounding  the  maximal  sire  of  this  tableau,  we  obtain  the  following  result. 

Theorem  4.5  (Deciding  MTL)  The  validity  problem  for  a  formula  <p  of  MTL  can  be 
decided  in  deterministic  time  exponential  in  0(nC),  where  n  —  1  is  the  number  of  boolean 
and  temporal  operators  tn  <p,  and  C  —  1  is  the  largest  constant  that  occurs  in  <p  as  an  interval 
end-point 

V  Proof  of  Theorem  4.5  Suppose  we  axe  given  an  MTL-formula  ^  and  wish  to  determine 

iff  ^  is  valid;  that  is,  iff  its  negation  is  satisfiable. 

We  define  the  closure  set  Closur€{(p)  of  the  MTIrformula  ip  to  be  the  smallest  set 
containing  (p  that  is  closed  under  the  following  operation  Sub: 

Sub{Oiil>)  = 

Wt^)  =  {^.  V^}  U  {©(^1  W/-f  1  5  >  0}, 
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Sub{xl>iSixl;j)  =  {rl>i,P2}o{®{rl>i3i.s^2)\S  >0} 
such  that 

1.  K  /  is  an  interval,  then  the  expression  I -6  stands  for  the  interval  {t  €  N  1 1  +  ^  e  /}. 
Note  that  if  7  is  bounded  by  the  right  end-point  d,  then  7  -  5  =  0  for  all  ^  >  d,  and 
if  7  is  unbounded  and  has  the  left  end-point  c,  then  7  -  5  =  N  for  all  ^  >  c.  This 
observation  shows  that  the  closure  set  of  ^  is  finite. 

2.  K  7  is  a  congruence  expression  the  form  c,  then  the  expression  I  —  S  stands  for  the 
unchanged  congruence  expression  x  e. 

Let  n  —  1  be  the  number  of  boolean  and  temporal  operators  in  0,  and  let  C  —  1  be  the 
largest  constant  that  occurs  in  ^  as  an  interval  end-point.  It  is  not  hard  to  see  that 

!C7osttre(d')|  <  2nC. 


As  in  TPTL,  for  checking  the  satisfiability  of  we  may  restrict  ourselves  to  timed  state 
sequences  p  -  (cr,T)  all  of  whose  time  steps  Tj  -  T,_i,  for  i  >  0,  are  bounded  by  C  -f  i', 
where  k  is  the  least  common  mxiltiple  of  all  d  such  a  the  congruence  expression  of  the  form 

c  occurs  in  <4.  Let  A  =  C  +  k'.  The  time  information  in  p  has,  therefore,  finite-state 
character  and  can  be  modeled  by  the  (new)  time-difference  propositions  Prevs  and  Cong^ 
for  0  <  ^  <  A  and  0  <  ^'  <  A,  As  usual,  the  proposition  Prev{  represents,  in  the  initial 
state,  the  initial  time  ^  and,  in  all  other  states,  the  time  difference  6  from  the  predecessor 
state;  the  proposition  Cong^^,  represents,  in  any  state,  the  remainder  6'  modulo  A  of  the 
currert  time.  For  ease  of  presentation  we  use,  in  addition,  the  time-difference  propositions 
Kexts,  for  0  <  <  A,  to  represent,  in  any  state,  the  time  dfference  S  to  the  successor  state. 

Let  Closure’{(i>)  denote  the  set  that  is  obtained  from  ao$ur«{<l>)  by  adding  all  of  the 
new  propositions  Prevs,  Nexts,  and  Congas-  A  subset  $  of  aosuTe’{6)  is  called  (maxi- 
maUy)  corisistent  iff  it  satisfies  the  following  conditions,  where  all  formulas  range  only  over 
Closure" {<(>)  (let  /  be  an  interval): 

•  Prevs  €  #  for  precisely  one  6  with  0  <  ^  <  A;  this  ^  €  N  is  referred  to  as 

•  Nexts  €  i  for  precisely  one  S  with  0  <  ^  <  A;  this  «  €  N  is  referred  to  as 

•  Cong^^  €  §  for  precisely  one  6  with  0  <  f  <  A;  this  f  €  N  is  referred  to  as  7*. 
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•  false  ^ 

•  ^2  €  $  iff  either  f  #  or  ^ 

•  1//  €  #  iff 

(1)  7^0  and 

(2)  either  0  6  7  and  t^>2  6  §,  or  ^  $  and  ^2)  €  §. 

•  Vli^=4c^2  6  $  iff  either  7$  =<;  c  and  ^  or  €  §  and  ©(V^  W=^c^2)  6 

•  V'l  <5/  €  $  iff 

(1)  7  #  0  and 

(2)  either  0  €  7  and  €  $,  or  ^  $  and  V^)  G  §. 

•  «5=rfc  €  $  iff  either  74  c  and  €  #,  or  V'l  €  #  and  ©(^1  W=^c 

The  initio/  tableau  T{(f>)  for  the  MTL-formiila  ^  is  a  (finite)  directed  graph  whose  vertices 
are  the  consistent  subsets  of  Closure^ {<!>),  and  which  contains  an  edge  from  $  to  $  iff  all  of 
the  following  conditions  are  met  (let  7  be  an  interval): 

.  si  =  s^. 

•  Sa7*  +  ^*- 

•  For  &11  0/V'  €  Closure{^),  ©iip  €  §  iff  ^*  €  /  and  V'  €  ^ . 

•  For  all  Os^e  V'  €  Qosure{4),  O-^e  V"  €  ^  ift*  7(’SP)  Hrf  c  and  ^  ® . 

•  For  all  ©/V*  €  CIo«ttre(^),  ©/V»  6  *  iff  i’J  6  /  and  V*  €  ♦. 

•  For  aU  ©=^e  V’  6  Qosure(^),  ©s^V'  €  4  iff  7(f)  c  and  €  f . 

We  show  that  aB  models  of  f  correspond  to  certain  infinite  paths  through  the  initial 
tableau  T(^)  for  and  vice  versa.  An  infinite  path 

f  :  f  0  — *  f  1  — *  f }  — *  •  •  • 

through  a  tableau  is  called  a  4^path  iff  it  satisfies  the  following  conditions  (let  /  be  an 
interval): 
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•  §0  contains  no  ©-formula, 

•  For  all  t  >  0,  6  implies  ^  G  for  some  j  >  i  with  €  /. 

•  For  all  t  >  0,  implies  €  ij  for  some  j  >  i  with  7($j)  Sj  c. 

•  >  0  for  infinitely  many  t  >  0. 

It  is  not  difficult  to  show  that  an  MTL-fomnila  ^  is  satisfiable  iff  the  initial  tableau  r(^) 
for  0  contains  a  0-path;  the  proof  is  similar  to  the  corresponding  argument  for  TPTL. 
Since  the  r(0)  contains  0{k  •  2^^)  vertices,  each  of  size  0(nC),  where  k  is  the  product  of 
all  constants  that  occur  in  0,  the  initial  tableau  for  0  can  be  constructed  and  checked  for 
0-paths  in  deterministic  time  exponential  in  C{nC).  Q 

4.2.2  Complexity  of  metric  temporal  logic 

Note  that  although  the  (worst-case)  running  time  of  the  tableau  algorithm  is  slightly  faster 
for  MTL  than  for  TPTL  (for  which  the  product  of  all  constants  appears  in  the  exponent), 
it  is  still  doubly  exponential  in  the  length  of  the  input  formula  (under  the  assumption  of 
binary  encoding  of  constsmts).  We  show  that  the  decision  problem  for  MTL  is  indeed  as 
hard  as  the  decision  problem  for  IPTL. 

Theorem  4.6  (Comr  .exity  of  MTL)  The  validity  problem  for  MTL  with  or  xvithout 
past  Uwvoral  oper  .ors  is  EXPSPACE-complete, 

Proof  of  Theorem  4.6  Prom  a  nondeterministic  version  of  the  tableau  algorithm,  it 
follows  that  MTL  is  in  EXPSPACE.  The  corresponding  lower  bound  can  be  shown  similarly 
to  the  analogous  resxilt  for  TPTL,  by  simulating  EXPSPACE-boundcd  Turing  machines. 
In  particular,  both  of  the  TP Tlr formulas  0////7’XA£  and  d^siOVE  that  are  used  in  the  proof 
of  Theorem  4,2  can  be  directly  translated  into  MTL  without  using  past  operators.  B 

We  point  out  that  while  PTL  is  PSPACE-complete,  both  TPTL  and  MTL  are  expo¬ 
nentially  more  expensive.  In  fact,  a  closer  look  at  our  proof  of  the  EXPSPACE-hardness  of 
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TPTL  suggests  that  any  extension  of  PTL  that  allows  the  expression  of  a  certain  minimal 
set  of  timing  constraints  such  as 

□(p  0«9), 

which  enforces  that  “the  time  of  one  state  is  a  constant  distance  c  from  the  time  of  another 
state,”  is  EXPSPACE-hard,  provided  that  all  time  constants  are  encoded  in  binary.  Even 
the  simplification  of  the  digital-clock  semantics  that  identifies  nezUiime  with  nexUstaie 
(i.e.,  time  as  a  state  counter)  is  of  no  help  in  complexity:  our  techniques  can  be  used  to 
show  that  aheady  the  introduction  of  the  abbreviation  for  a  sequence  of  k  consecutive 
next  operators  makes  PTL  EXPSPACE-hard.  It  follows  that  the  succinct  encoding  of  time 
constants  makes  real-time  reasoning  (at  least)  exponentially  more  expensive  than  untimed 
reasoning. 


4.3  Model  Checking 

Model  checking  is  a  powerful  and  well-established  technique  for  the  automatic  verification  of 
finite-state  systems  that  compares  a  propositional  temporal-logic  specification  of  a  system 
against  a  state-graph  description  of  the  system  (for  a  survey  of  model  checking  and  its 
applications,  see,  for  example,  [29]).  Model-checking  algorithms  were  first  developed  for 
branching-time  logics  [28,  36].  We  bttild  on  the  model-checking  algorithm  by  Lichtenstein 
and  Pnueli  for  the  Imear-time  propositional  temporal  logic  PTL  [83]. 

Let  us  briefly  review  the  main  ideas  that  underlie  model  checking  in  the  untimed  case. 
Suppose  that  a  system  5  is  represented  as  a  finite  state  graph  (Kripke  structure)  T(5); 
that  is,  all  possible  runs  of  5  correspond  to  infinite  paths  throu^  T{S)  that  satisfy  certain 
fairness  requirements.  Furthermore,  suppose  that  the  specification  of  5  is  given  as  a  formula 
^  of  PTL.  The  tableau  construction  for  testing  the  satisfiabihty  of  the  negated  formula  -up 
can  then  be  used  to  solve  the  verification  problem: 

Do  all  possible  runs  of  the  system  S  satisfy  the  specification  4p? 

The  algorithm  proceeds  in  two  steps: 

1.  We  construct  the  initial  tableau  T{-^<p)  for  which  captures  precisely  the  models 
of  -1^.  Then  we  can  reformulate  the  verification  question  as  follows:  is  there  an 
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infinite  path  that  is  common  to  both  finite  state  graphs,  r(5)  anrl  and  that 

corresponds  both  to  a  possible  run  of  5  and  a  model  of  -«^?  Clearl3',  the  system  5 
meets  the  specificati'^n  ^  if  and  only  if  this  is  not  the  case. 

2.  The  reformulated  verification  problem  can  be  solved  by  a  product  construction  on 
finite  Kripke  structures.  We  construct  the  product  of  the  two  state  graphs  T(5)  and 
and  check  if  it  contains  an  infinite  path  that  satisfies  certain  fairness  conditions. 

The  tableau  methods  for  TPTL  and  MTL  allow  us  to  generalize  the  model-checking 
approach  to  real-time  systems  and  real-time  properties.  W*e  define  timed  state  graphs  in 
a  way  so  that  they  subsume  our  system  model  —  finite-state  timed  transition  systems. 
Then  we  define  the  product  of  such  timed  structures,  which  leads  to  an  algorithm  that 
determines  if  a  finite-state  timed  transition  system  meets  a  specification  that  is  given  in 
TPTL  or  MTL.  We  also  show  that  the  problem  of  checking  if  a  formula  of  TPTL  or 
MTL  is  satisfied  in  a  given  structure  is  EXPSPACE-complete  and  thus,  in  general,  equally 
hard  as  deciding  if  ^  is  satisfiable  in  any  structure.  The  complexity  of  the  model-checking 
problem,  however,  is  doubly  exponential  only  in  the  size  of  the  formula,  which  is  usually 
much  smaller  than  the  size  of  the  structure. 

4.3.1  Finite-state  real-time  systems 

Let  us  define  the  notion  of  finite-state  real-time  system  as  a  finite  state  graph  (Kripke 
structure)  that  contains  finitely  many  time-difference  propositions.  We  call  these  timed 
structures  tableaux^  and  show  that  finite-state  timed  transition  systems  can,  just  like  for¬ 
mulas  of  TPTL  and  MTL,  be  represented  as  tableaux. 


Timed  Kripke  structures 

Let  Ps  be  a  finite  set  of  propositions.  We  represent  finite-state  real-time  systems  by  finite, 
directed  state  graphs  whose  vertices  are  labeled  by  sets  of  propositions.  Each  vertex  contains 
finite 


State  information  A  proposition  p  €  P5  holds  at  vertex  v  iff  t;  is  labeled  with  p. 
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Time  information  Every  vertex  is  labeled  with  precisely  one  time-difference  proposition 
Prevs  or  Prev>s  that  indicates  that  the  time  difference  from  the  predecessor  vertices 
is  exactly  S  time  imits  or  at  least  6  time  units,  respectively. 

Formally,  a  {real-iime)  tableau  T  =  Vo,  jE?)  over  the  set  Ps  of  prepositions  consists 

of 


•  a  finite  set  V  of  vertices, 

•  a  state  labeling  function  cr  \V  2^^  that  labels  every  vertex  v  with  a  state  C  P5, 

•  a  time  labeling  function  5"  :  V  — ►  N  X  2  that  labels  every  vertex  t;  with  a  time- 
difference  proposition  which  is  either  Prevs  or  Pjrev>s  for  some  i  €  N, 

•  a  set  Vb  C  V'  of  initial  vertices, 

•  a  set  E  C  of  edges. 

In  accordance  with  the  intuitive  operational  semantics  that  is  associated  with  a  tableau, 
we  say  that  a  timed  state  sequence  p  =  (cr,  T)  over  N  is  a  computation  of  the  tableau  T  iff 
there  is  an  infinite  path  V0V1V2 . . .  through  T  such  that  for  all  t  >  0, 

(1)  and 

(2)  if  =  Prevs,  then  T*  =  -f  S;  otherwise  T*  > 

Thus  every  tableau  T  defines  a  digital  real-time  property  —  the  set  n(r)  of  computations 
of  T.  We  say  that  the  tableau  T  satisfies  the  formula  <f>  of  TPTL  or  MTL  iff  there  is  a 
computation  of  T  that  is  a  model  of  DuaUy,  the  formula  4>  is  called  valid  over  the  tableau 
T  iff  all  confutations  of  T  arc  models  of 

n(r)  c  n(^). 

The  problem  of  model  checking  is  to  determine  iff  a  formula  is  valid  over  a  tableau.  By 
representing  finite-state  timed  transition  systems  as  tableaux,  we  can  subject  them  to  model¬ 
checking  algorithms. 
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Finite-state  timed  transition  systems 

In  Chapter  2,  we  have  introduced  timed  transition  systems  as  our  model  for  real-time 
systems.  Here  we  associate  a  tableau  T{S)  with  every  finite-state  timed  transition  system  S 
such  that  the  computations  of  T(S)  are  exactly  the  runs  of  5: 

n(r(5))  =  Det{Jl{S)). 

Then  we  can  use  model  checking  to  verify  that  all  runs  of  a  finite-state  timed  transition 
system  satisfy  a  formula  of  TPTL  or  MTL. 

Let  5  =  {r,©,T,/,u)  be  a  finite-state  timed  transition  system;  that  is,  the  set  E  of 
states  is  finite.  We  may  therefore  assume  that  every  state  of  5  is  uniquely  characterized  by 
a  subset  of  a  suitable  finite  set  Ps  of  propositions  (i.e.,  E  =  2^*).  For  instance,  every  timed 
transition  system  that  is  defined  in  the  transition  diagram  language  of  Chapter  2  uses  the 
interpretations  of  a  finite  set  of  variables  as  states;  if  each  of  these  variables  ranges  over  a 
finite  domain,  then  S  is  a  finite-state  transition  system.  We  construct  the  tableau  7(5)  in 
two  steps: 

1.  First,  we  dispense  with  all  timing  requirements  of  the  timed  transition  system  5 
by  adding  the  timing  information  to  the  states.  For  this  purpose,  we  have  defined, 
in  Subsection  2.1.2,  the  explicit-clock  transition  system  5*  =  (E*,0*,7*)  that  is 
associated  with  5. 

2.  Secondly,  we  merge  the  infinite  number  of  states  of  5*  into  a  finite  number  of  equiv¬ 
alence  classes. 

The  explicit- clock  transition  system  5*  contains  infinitely  many  states,  because  the  clock 
variable  t  and  the  delay  counters  d^  range  over  the  infinite  domain  N.  Let  Cs  - 1  €  N  be  the 
largest  constant  of  all  finite  minimal  and  maximal  delays  of  5.  To  reduce  the  information 
that  is  provided  by  the  clock  variable  t  to  a  finite  domain,  we  use  the  following  simple 
observation.  Let  p  =  (<t,T)  and  p'  =  (<r,T')  be  two  timed  state  sequences  such  that  for  all 
i  >  0,  either  Tj  -  Ti_i  =  TJ  -  or  both  Tj  -  Ti_i  >  Cs  and  T(  -  TJ_j  >  Cs-  Then  p  is 
a  run  of  5  iff  p'  is  a  run  of  5.  Thus  it  suffices  to  model  time  by  the  finite  set 

Prev  =  {PrevQ,...Prevcs~i,Prev>Cs} 
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of  time* difference  propositions.  The  information  that  is  provided  by  the  delay  counters 
has  also  finite-state  character,  because  if  the  value  of  a  delay  coimter  is,  in  any  state,  at 
least  Csi  then  its  actual  value  is  of  no  importance. 

Thus  we  define  the  equivalence  relation  on  the  states  of  S'  such  that  a  ^  iS 

(1)  (T^  =  and 

(2)  for  all  transitions  r  €  T,  either  (r{dr)  ==  <  Cs  or  both  <T(dr)  >  C$ 

and  <r^(dr)  >  Cs 

for  all  €  E'.  The  tableau  T{S)  =  {V,or^S“  ^Vo,E)  for  S  is  defined  as  follows: 

•  Every  vertex  v  =  (s,  t)  of  r(S)  is  a  pair  that  consists  of  an  equivalence  class  s  of  states 
of  S'  and  a  time-difference  proposition  t: 

V  =  {[a]^  I  a  €  E'}  X  Prev. 

•  If  V  =  for  cr  €  E',  then  (r^  =  tr*. 

•  If  t;  =  then  6^  =  t. 

•  A  vertex  v  =  ([<7].s.,t),  for  a  G  E',  is  initial  iff  G  ©. 

•  There  is  an  edge  from  the  vertex  to  the  vertex  ([0-']^,^'),  for  G  E',  iff 

either  there  is  a  transition  r  G  T  such  that  {cr^a')  G  t'  and  f'  =  Prevo, 

or  G  r}  and  t'  =  Prer^#(t)-<r(t), 

or  (o’,  O’')  G  t}  and  or'(t)  -  o’(t)  >  Cs  aad  t'  =  Prev^Cs* 

It  is  not  hard  to  see  that  if  the  timed  transition  system  S  contains  no  maximal  delays  00, 
then  the  tableau  r(S)  for  S  defines  the  set  Z)et(n(S))  of  runs  of  S.  We  have  not  provided 
any  means  to  place  fairness  assumptions  on  tableaux,  which  is  necessary  to  handle  infinite 
upper-bound  requirements  and  can  be  done  analogously  to  the  untimed  case  [83]. 

We  remark  that  the  tableau  T(5)  for  S  contains  0(1E|  •  ^5^^)  vertices,  because  there 
are  \T\  delay  counters  each  of  which  ranges  over  a  domain  of  size  Cs  +  1.  Thus  there  is 
an  exponentisd  blow-up  in  moving  from  the  description  of  a  timed  transition  system  to  a 
tableau  (independent  of  whether  the  maximal  and  minimal  delays  of  the  system  are  given 
in  a  unary  or  a  binary  encoding). 
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4.3.2  Model-checking  algorithms 
Suppose  that  we  are  given 

1.  a  finite-state  real-time  system  in  form  of  a  tableau  Ts  over  the  set  Ps  of  propositions. 
Let  Cs  be  the  largest  constant  S  for  which  Ts  contains  a  time- difference  proposition 
Prevg  or  Prev>s- 

2.  a  formula  ^  of  TPTL  or  MTL  over  the  set  P  of  propositions.  Recall  that  the  product  k 
of  all  constants  in  ^  is  the  largest  constant  ^  for  which  the  initial  tableau  r(^)  for  <t> 
contains  a  time- difference  proposition  Prevs. 

We  define  the  product  T  =  Ts  X  T{4>)  of  the  two  structures  Ts  and  r(^)  to  be  a  finite, 
directed  graph  whose  vertices  are  pairs  of  Ts-vertices  and  r(^)-vertices: 

•  Each  vertex  (ti,  f )  of  T  consists  of  a  vertex  v  of  Ts  and  a  vertex  §  of  r(^)  such  that 

1.  the  state  information  in  v  and  §  is  compatible;  that  is,  p  €  <r»  iff  P  €  §  (or 
z.p  £  $,  in  the  case  of  TPTL)  for  all  propositions  p  €  P5  fl  P. 

2.  the  time  information  in  r  and  §  is  compatible;  that  is,  either  =  6^,  or 

=  Prev/c  and  S~  €  {Pret>5,Prcv>;}  for  some  S  >  k. 

•  T  contains  an  edge  from  the  vertex  (vj,  $1)  to  the  vertex  (vj,  $2)  iff  Ts  contains  an 
edge  from  vj  to  V2  and  T[^)  contains  an  edge  from  #1  to  #2- 

The  sire  of  the  product  Ts  x  T{^)  is  clearly  linear  in  the  product  of  the  sizes  of  Ts  and  T{<f>). 

For  both  TPTL  and  h4TL  we  say  that  an  infinite  path  through  the  product  Ts  x  T(^) 
is  a  ^path  iff  its  second  projection  is  a  ^path  through  r(^);  it  is  an  initialized  ^path 
iff,  in  addition,  it  starts  at  a  vertex  whose  first  projection  is  an  initial  vertex  of  Ts-  The 
following  lemma,  which  follows  immediately  from  Lemma  4.4  and  the  proof  of  Theorem  4.5, 
confirms  that  our  product  construction  has  the  intended  effect. 

Lezzuna  4.8  (Tableau  product)  The  tableau  Ts  satisfies  the  formula  ^  of  TPTL  or 
MTL  iff  the  product  Ts  x  T{<j>)  contains  an  initialized  ^-paih. 

This  lemma  suggest  a  model- checking  algorithm.  To  see  if  all  runs  of  a  finite-state  timed 
transition  system  5  satisfy  a  formula  of  TPTL  or  MTL: 
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1.  Construct  the  tableau  7(5)  for  5. 

2.  Construct  the  initial  tableau  T{-^(f>)  for  the  negated  formula 

3.  Construct  the  tableau  product  7  =  7(5)  x  7(“»^). 

4.  Check  if  7  contains  a  --i^path.  The  system  5  meets  the  specification  ^  iff  this  is  not 
the  case. 

According  to  different  versions  of  fairness,  various  variants  of  the  notion  of  ^paths  through 
the  tableau  product  can  be  defined,  and  checked  for,  as  in  the  untimed  case  [83].  This  allows 
an  extension  of  the  method  to  arbitrary  finite-state  timed  transition  systems,  which  may 
contain  maximal  delays  of  oo.  Since  a  structure  can  be  checked  for  ^paths  in  polynomial 
time,  the  running  time  of  the  algorithm  is  determined  by  the  sire  of  the  tableau  product  7, 
which  contains  0(|7(5)|  •  I7(i^)|)  vertices.  Recall  that  the  size  of  7(5)  may  be  exponentially 
larger  than  the  description  of  5,  and  the  size  of  7(^)  may  be  two  exponentials  larger  than  ^ 
itself.  Thus 

Proposition  4.1  (Model  checking)  The  problem  if  all  runs  of  a  finiie^state  timed  tran^ 
sition  system  5  arc  models  of  a  formula  <i>  of  TPTL  or  MTL  can  be  decided  in  deterministic 
time  exponential  in  15|  •  where  |5|  is  the  size  of  the  system  description  and  \<f>\  is  the 
length  of  the  formula. 

The  model-checking  algorithm  we  have  outlined  can,  of  course,  be  streamlined  in  m3rriad 
ways.  To  begin  with,  it  is  not  necessary  to  construct  both  tableaux  and  the  product 
in  their  entirety,  but  all  four  steps  of  the  algorithm  can  be  overlapped.  For  details,  we 
refer  the  reader  to  recent  developments  in  untimed  model-checking  procedures  (see,  for 
example,  [24]).  We  also  remark  that  the  product  construction  of  timed  structures  can 
be  used  to  check  if  one  finite-state  timed  transition  system  implements  (refines)  another 
finite-state  timed  transition  system. 

4.3.3  Complexity  of  model  checking 

We  show  that  the  problem  of  determining  if  a  formtila  ^  of  TPTL  ex  MTL  is  valid  in  a  given 
structure  is,  in  general,  equally  hard  as  the  problem  of  determining  if  ^  is  tmconditionally 
valid. 
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Theorem  4.7  (Complexity  of  model  checking)  The  problem  of  deciding  if  a  formula 
of  TPTL  or  MTL  {urith  or  without  past  temporal  operators)  is  valid  over  a  tableau  is 
EXPSPA  CE-compleie. 

Proof  of  Theorem  4.7  [EXPSPACE]  As  is  the  case  for  PTL  [119],  timed  and  metric 
model  checking  are  polynomial- time  reducible  to  the  validity  problems  for  TPTL  and  MTL, 
respectively.  Given  the  formula  (f>  and  the  tableau  T  =  yVo^E)^  we  construct  a 

formula  whose  length  depends  polynomiaUy  on  the  sizes  of  both  7"  and  and  which  is 
valid  iff  0  is  valid  over  T,  For  every  vertex  Vi  £  V,  we  introduce  a  new  proposition  pi  and 
build  the  MTL-fonnula 

Pi V  ©f,-  ?>)•  i^i) 

where  stands  for  the  time-bounded  operator  if  =  Prevsy  and  for  ©>^  if 
6^  =  Prev>s.  Furthermore,  let  the  formula  rp  assert  that  exactly  one  of  the  propositions 
Piy  for  Vt  €  V,  is  true.  It  is  not  hard  to  see  that  the  formiila 

(  V  Pi  A  DCV-  A  A  ^i))  -  ^  {<h) 

«i6Vb  Viev 

has  the  desired  properties.  Note  that  the  antecedent  of  the  formula  4>T  contains  no  past 
operators  and,  thus,  can  be  directly  translated  into  TPTL. 

[EXPSPACE-hardness]  To  reduce  the  validity  problems  for  TPTL  and  MTL  to  model 
checking,  it  suffices  to  give  a  tableau  T  of  constant  size  such  that  formula  ij>  is  valid  iff  (f> 
is  vaLd  over  T.  Simply  choose  T  =  to  be  the  complete  graph  over  all 

subsets  of  P,  the  propositions  that  occur  in  and  label  all  vertices  by  the  time- difference 
propositicm  Prev>o.  B 

Since  our  translation  from  finite-state  timed  tr:msition  systems  to  tableaux  involves  an 
exponential  blow-up  in  size.  Theorem  4,7  does  locate  the  exact  complexity  of  verifying 
finite-state  timed  transition  systems.  Indeed,  as  we  shall  see  next,  a  finite- state  timed 
transition  system  can  be  directly  er  ceded  in  TPTL  or  MTL  without  an  exponential  factor. 

Encoding  finite-state  transition  systems 

Let  P  be  a  finite  set  of  propositions  and  5  =  (E,0,T,Z,u)  a  timed  transition  system 
with  E  =  2^.  We  construct  a  formula  (j>s  of  MTL  without  past  operators,  the  logical 
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representation  of  the  finite-state  system  5,  such  that  the  possible  runs  of  5  are  exactly  the 
models  of  4>s\  that  is, 

Z)et(n(5))  = 

Since  (f>s  will  contain  no  past  operators,  it  can  be  directly  translated  into  TPTL. 

For  all  states  a  C  P  of  S,  let  <!>„  be  the  conjunction 

A  9  ^  A 

that  characterizes  the  state  cr.  The  condition  that  a  transition  r  €  T  is  enabled  is  then 
expressed  by  the  formula 

€nabled{r)  :  \/  <!>&. 

Recall  that  all  nins  are  deterministic  timed  stat^-  sequences;  that  is, 

°  A  {0=0  true  V  {^D£t) 

For  every  transition  r  we  use  a  new  proposition  iakenr  that  indicates,  in  any  state  of 
a  run  of  5,  if  the  transition  r  is  taken.  Consequently,  we  require  that 

iakerir  — ►  f\  (^r) 

r'^T 

takenr  -*  \/  {4>,t  ^  0(f>y)-  (^?) 

The  formula  ^5  consists,  in  addition  to  the  conjunct 

d>DET  A  □  ^  A  4>l), 
r^T 

of  the  following  four  conjunctive  parts: 


Initiality 


V<f€e 


Consecution 

Deterministic  lower  bound 
Deterministic  upper  bound 


□  Vrer 

Ar€T  □<4 -itafeerir). 

0{€nabled{T)  0<u^  (tdbenr  V  -^enabled{T)). 
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It  is  not  hard  to  see  that  a  timed  state  sequence  p  is  indeed  a  model  of  ^5  iff />  is  a  .r;m  of 
the  system  S .  Three  additional  remarks  are  in  order. 

1.  The  logical  representation  reveals  that  every  real-time  property  that  is  defined  by 
a  timed  transition  system  is  an  intersection  of  the  time-invariant  property  that  is 
defined  by  the  underlying  untimed  transition  system,  bounded-invariance  properties 
that  ensure  aU  lower-bound  requirements,  and  boimded-response  properties  that  en¬ 
sure  the  upper-bound  requirements.  It  follows  that  timed  transition  systems  can  be 
encoded  by  any  logic  that  that  can  express  bounded-invariance  and  bounded-response 
properties.  Also,  the  digitizability  of  the  set  of  runs  of  S  follows  as  a  corollary  to 
Proposition  3.1. 

2.  If  every  pair  of  states  in  £  is  related  by  at  most  one  transition  in  T,  then  the  auxilisurv 
propositions  takenr  are  not  needed  and  the  formula  d>s  employs,  just  like  5,  only 
propositions  from  P: 

takenr  *■*  V  ^ 

We  say  that  a  timed  transition  system  that  satisfies  this  condition  is  terse.  The 
terseness  of  S  ensures  that  every  run  p  of  5  uniquely  determines  the  infinite  sequence 
of  transitions  that  are  taken  along  p.  Note  that  terseness,  however,  does  not  imnly 
determinism.  We  point  out  that,  for  example,  all  timed  transition  systems  that  are 
defined  in  the  timed  transition  diagram  language  are  terse. 

3.  Note  that  the  length  of  the  formula  is  polynomially  related  to  the  size  of  the 
description  of  5  (provided  that  all  natural  number  constants  in  ^5  and  5  are  given  by 
the  same  encoding).  By  an  argument  similar  to  the  proof  of  Theorem  4.7,  it  follows 
that  the  problem  of  verifying  a  finite-state  timed  transition  system  with  respect  to  a 
TPTL-specification  or  an  MTL-spccification  is  in  EXPSPACE. 


1  i;  -.'ic.  • 
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Chapter  5 

Deductive  Verification; 
General  Part 


In  Chapter  4,  we  have  shown  that  the  real-time  temporal  I'^c  TPTL  yields  to  algorithmic 
techniques  for  the  verification  of  finite-state  systems.  For  a  given  timed  transition  system  S, 
the  tableau-based  methods,  however,  may  not  be 

1.  applicable^  because  the  state  space  of  5  is  infinite.  For  example,  this  is  the  case  for  all 
programs  that  contain  variables  that  range  over  infinite  domains,  such  as  the  integers. 

2.  feasible,  because  the  state  of  5  is  too  large.  This  problem,  which  is  known 

as  the  “state  explosion  problem,”  arises  especially  with  highly  parallel  systems,  as 
the  number  of  states  in  a  transition  system  grows  exponentially  with  the  number  of 
parallel  processes.  The  growth  of  the  state  space  is  particularly  hindering  for  state- 
based  reaUiime  verification,  which  is,  as  we  have  seen,  exponentially  more  expensive 
than  untimed  verification. 

Thus  it  is  imperative  that  a  formal  approach  to  real-time  verification  provides  both  semantic 
(i.e,,  algorithmic)  as  well  as  syntactic  (i.c.,  deductive)  methods.  In  this  chapter,  we  develop 
a  complete  proof  system  for  TPTL  to  complement  the  modej-chccking  algorithm.  The 
proof  system  can  he  used  for  the  deductive  verification  of  real-time  systems  even  if  they 
cannot  be  represented  as  finite-state  graphs. 

Just  as  p*oof  systems  for  the  propositional  temporal  logic  PTL  consist  of  a  general, 
modal,  part  and  special  axioms  for  linear  structures,  we  arrive  at  the  proof  system  for 
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TPTL  in  two  steps.  First  (in  Section  5.1),  we  aiiomatize  the  freeze  quantifier  for  arbitrary 
modal  logics  that  are  interpreted  over  Kripke  structures  in  which  a  value  is  associated  with 
everv  possible  world,  completely  independent  of  the  notion  of  ''time."  Since  these  modal 
logics  are  fragments  of  the  corresponding  first-order  versions,  we  dub  them  half-order.  ^\e 
also  show  that  half-order  modal  logic  generalizes  the  classical  first-order  predicate  calculus, 
which  can  be  embedded. 

Secondly  (in  Section  5.2),  we  obtain  half-order  temporal  logic  by  restricting  ourselves 
to  certain  linear  structures.  We  interpret  possible  worlds  as  system  states,  the  accessibility 
relation  as  temporal  ordering  between  states,  and  the  value  that  is  associated  with  a  state 
as  its  time.  The  resulting  structures  are  timed  state  sequences  and,  hence,  precisely  the 
interpretations  for  TPTL.  By  adding  appropriate  axioms  for  linear  structures  and  the 
timing  constraints  that  are  admitted  in  TPTL,  we  obtain  a  complete  proof  system  for 
TPTL.  In  fact,  the  choice  of  timing  constraints  of  TPTL  turns  out  to  be  crucial;  we  show 
that  half-order  temporal  logic  in  general  is  nj-hard,  and  therefore  not  axiomatizable. 

Finally  (in  Section  5.3),  we  indicate  how  the  proof  system  for  TPTL  can  be  used  to 
verify  TPTL-spedfications  of  timed  transition  systems. 


5.1  Half-order  Modal  Logic 

We  introduce  modal  logics  that  are  interpreted  over  Kripke  structures  each  of  whose  possible 
worlds  (states)  a  has  a  value  |s|  associated  with  it.  Onlinary  first-order  function  and  relation 
svxnbols,  including  equality,  perform  operations  and  '.ests  on  these  values.  However,  instea  . 
of  ordinary  universal  (and  existential)  quantification,  the  access  to  values  is  kept  extremely 
local:  the  freeze  quantifier  “x.”  binds  i  to  the  value  that  is  associated  with  the  current 
state.  For  example,  the  formula  x.  Oy.p(x,y)  is  true  in  an  interpretation  with  initial  state  » 
iff  there  is  a  state  t  accessible  from  a  such  that  the  relation  p,  as  interpreted  in  t,  holds 
between  the  value  |a|  associated  with  i  and  the  value  |t|  associated  with  t. 

There  is  a  wide,  and  largely  confusing,  variety  of  different  ways  to  add  conventional  quan¬ 
tification  to  modal  logic,  for  only  some  of  which  conqjleteness  results  have  been  achieved, 
and  some  of  which  are  known  to  be  incomplete  (see  [43]  for  an  excellent  survey).  The 
situation  for  the  freeze  quantifier  is,  fortunately,  much  cleaner:  we  show  that  modal  log¬ 
ics  with  freeze  quantification  are  axiomatizable,  yet  not  necessarily  decidable,  fragments  of 
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certain  corresponding  first-order  modal  logics.  This  explains  the  attribute  “half-order^  for 
the  freeze  quantifier. 

5.1.1  Syntax  and  semantics 

The  formulas  of  half-order  modal  logic  are  built  from  first-order  atoms,  which  include  equa¬ 
tions,  by  boolean  connectives,  the  modal  operator  □,  and  the  freerc  quantifier.  Let  V  be 
an  infinite  set  of  variables,  and  F  and  R  be  sets  of  function  and  relation  symbols,  respec¬ 
tively.  We  assume  that  all  of  these  sets  can  be  effectively  enumerated.  The  terms  x,  atomic 
formulas  q,  and  formulas  (f>  of  half-order  modal  logic  arc  inductively  defined  as  follows: 

T  z\ff 

Q  :=  =  T2  I  pir 

^  Q  I  false  1  ^  1  I 

for  z  €  V,  /  €  f’,  and  p  £  R.  Vie  write  x  to  denote  a  tuple  of  terms;  for  example,  if  /  is 
a  binary  function  symbol  then  fft  stands  for  /xiXj,  or  /(xi,T2).  The  boolean  connectives 
true,  -'j  A,  V,  and  ^  are  defined  in  terms  of  false  and  — ►  in  the  standard  way;  is  an 
abbreviation  for  Throughout  this  chapter,  we  use  t  and  a  (possibly  subscripted)  to 

stand  for  arbitrary  terms  and  atomic  formulas,  respectively;  formulas  are,  as  usual,  denoted 
by 

An  interpretation 

M  =  (E,— O.T,  |l,|®lx€V,[/|/€F.blr€««*o) 
for  half-order  modal  logic  consists  of 

•  a  set  £  of  states, 

•  an  accessibility  relation  —*0  C  £*  on  the  states, 

•  a  set  T  of  values, 

•  a  value  function  ||;  S  -»  T  that  associates  a  valne  |s|  with  every  state  a, 

•  a  rigid  assignment  function  [x]  €  T  for  all  variables  x  €V, 

•  a  rigid  assignment  function  [/|:  T  — •  T  for  all  hmction  symbob  /  €  -Ft 

•  a  flexible  assignment  function  [p] :  £  — *  2^  for  all  relation  symbob  p£  R, 

•  an  initial  state  sq  €  £• 
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Note  that  all  terras  are  given  a  state-independent  (rigid)  meaning,  while  the  interpretation 
of  relation  s}Tnbols  is  state- dependent  (flexible).  The  rigidity  restriction  on  terms  is  required 
for  the  completeness  proof;  the  flexibility  of  relation  symbols  is  necessary  to  cover  TPTL, 
whose  prepositions  are  interpreted  in  a  state-dependent  fashion. 

The  interpretation  M  is  ^  model  of  the  formula  iff  for  the  following  inductive 

definition  of  the  satisfaction  relation  j=  : 

(=:  Xi  =  ‘?r2  iff  Ixil  =:  [xj],  for  If^l  =:  ll/](i[x|). 

M\=^p^  iff  l[x|  G  IpK^o)* 

M  ^  false. 

M  ^  4>2  ifl  M  ^  <f>i  implies  Ad  |= 

Ad  t=  iff  AdUo  :=  s]  p  ^  for  all  5  €  E  with  so  ^3  s. 

Ad  iff  Ad[[xl  :=  |sol]  }=  0* 

Here  Ad[so  *=  denotes  the  interpretation  that  differs  from  Ad  only  in  its  initial  state,  j; 
the  interpretation  Ad[[x|  :=  j^ol]  differs  from  Ad  only  in  its  assignment  function  for  x.  Thus, 
the  semantic  clause  for  formulas  of  the  form  specifies  that  ^  is  interpreted  .in  all  states 
accessible  from  the  current  state.  The  clause  for  z.  ^  asserts  that  all  occurrences  of  x  in  ^ 
refo*  to  the  value  that  is  associated  with  the  current  state. 

The  formula  ^  is  satisfiable  {valid)  iff  some  (every)  interpretation  is  a  model  of  We 
write  h  ^  to  denote  that  ^  is  valid.  Two  formulas  are  equivalent  iff  they  have  the  same 
models.  While  it  is  customary  in  modal  logic  to  separate  the  initial  state  from  a  Kripke 
structure,  we  have  merged  both  components  of  an  interpretation,  because  we  are  only 
interested  in  general  validity,  not  validity  in  a  given  structure. 

Observe  that  we  can  faithfully  embed  half-order  modal  logic  into  a  first-order  modal 
logic  with  the  set  T  of  values  as  constant  domain  for  all  states,  and  rigid  terms,  with  the 
exception  of  one  flexible  constant  symbol,  say  t,  that  denotes,  in  every  state,  the  value 
associated  with  that  state;  that  is,  |t](s)  |s|.  The  freeze  quantifier  x.^  is  translated  as 
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(or,  equivalently,  3x.{x  =  t  A  ^)).  In  other  words,  half-order  modal  logic  captures  the 
fragment  of  first-order  modal  logic  in  which  every  rigid  (global)  variable  is,  immediately 
upon  introduction,  bound  to  the  current  value  of  the  flexible  (state)  variable  t.  This  makes 
the  conventional  first-order  quantifiers  superfluous. 

5.1.2  Proof  system 

Let  Kp  be  the  propositional  modal  logic  that  is  determined  by  the  class  of  all  Kripke 
structures.  We  extend  the  proof  system  for  Kp  by  axioms  and  inference  rules  for  both 
the  freeze  quantifier  and  equality.  Recall  that  the  deductive  calculus  for  Kp  consists  of  a 
complete  proof  system  PROP  for  propositional  logic,  say, 

PROPl  all  tautologies  are  axioms, 
from  4^1 

PROP2  and  4^  ^  4^ 
infer 

as  wen  as  the  foUowing  axiom  schema  and  necessitation  rule,  which  completely  characterize 
the  modal  operator  O  with  respect  to  Kripke  semantics  [81]: 

Kl  □(^ 

from  6 

K2  — - 

infer 

Let  us  abbreviate  the  formula  ^  ^  OtJ;  to  ip  (this  convention  will  serve  our  purposes 
better  than  the  standard  interpretation  of  ^  =>  the  operator  =>  associate 

to  the  right,  as  does  The  freeze  quantifier  is  characterized  by  an  axiom  schema  that 
asserts  its  functionality, 

Q1  -♦  ^  (x.^ 

and  an  introduction  rule  for  every  modal  context. 


Q2 


from  ^ 

infer  ^  ^  x.  provided  that  x  ^  for  all  1  <  i  <  n 
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(we  write  i  E  iff  the  variable  x  occurs  freely  in  ^).  The  simplest  instances  of  this  rule 
(talce  n  =  0)  are  of  the  form 

_  from  ^ 

Q2-  - 

infer 

Only  the  elimination  of  vacuous  quantifier  occurrences  is  sound: 

Q3  I.  ^  w  ^  if  r  ^ 

L€t<^{Ti  :=  T2)  (and  ^[ti  :=  tj])  denote  a  formula  that  results  from  ^  by  safely  replacing 
rero,  one,  or  more  (all,  respectively)  free  occurrences  of  Ti  by  irj.  Safe  replacement  means, 
as  usual,  that  no  free  occurrence  of  that  is  replaced,  is  within  the  scope  of  a  quantifier 
binding  a  variable  of  ir2;  whenever  we  write  tp[ri  :=  X2],  there  is  the  implicit  condition  that 
all  free  occurrences  of  xj  in  can  be  safely  replaced  by  ^2-  We  add  conventional  congruence 
axioms  for  equality,  for  instance, 

EQl  T  =  T, 

EQ2  Ti  =  T2  -4  a  a{Ti  W2), 

two  adorn  schemata  that  assert  the  rigidity  of  terms, 

RlGl  Tj  =  X2  ~ 

E162  Oxi  5^  xj, 

and  an  axiom  schema  that  states  that  the  value  associated  with  every  state  is  Tinique, 
Q£Q 

To  summarise,  we  are  given  the  logical  axioms  PROPl,  Kl,  Ql,  Q5,  £Ql*2,  BIGl* 
2,  and  QEQ,  and  the  inference  rtdes  PROP2,  K2,  and  Q2.  A  half-order  normal  logic 
is  a  set  of  formulas  that  contains  all  logical  axioms  and  is  closed  under  all  inference  rules. 
Note  that,  since  the  proof  system  includes  PROP  and  Kl-2,  every  normal  logic  contains 
aU  instances  of  valid  schemata  of  the  propositional  modal  logic  Kp. 
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Sample  proofs 

We  demonstrate  the  use  of  the  proof  system  by  deriving  some  additional  theorems  of  half* 
order  modal  logic  that  will  be  useful  later. 


Lemma  5.1  (Sample  theorems)  Any  normal  logic  contains  the  following  formulas: 


Q4 

EQ3  iTj  =  iTj  ^  (p(Ti  :=  X2). 

EQ4  t.x  =  T  -»  (x.^  ^[x  :=  ir]). 

VARl  x.^  — »  y.^[x:=jf]  ify$^. 

VAR2  ^  if  4>'  results  from  4>  l>y  renaming  of  bound  variables. 

VARS  z  y.d>  <-*  X.  ^(y:=x]. 

Proof  of  Lemma  5.1  Q4  states  that  the  freeze  quantifier  is  its  own  dual.  It  follows  from 
Ql: 

-*  /®^«)  (®-^  “*  X. false) 

by  QS  and  PROP. 

EQ3  generalizes  the  equality  axiom  EQ2  to  arbitrary  formulas  To  establish  it,  we 
use  induction  on  the  structure  of  <f.  The  atomic  base  case  holds  by  EQ2.  The  propositional 
cases  follow  from  the  induction  hypothesis  by  PROP.  Observe  that 

Ti  =  Wj  -♦  -»  :=  »j) 


equals 


Ti  ss  Tj  -»  -♦  0^(wi  :=  »a), 

which  follows  from  the  induction  hypothesis  by  K2,  Kl,  RIGl,  and  PROP.  If  t  ^  Xi  and 
X  ^  wj,  then  (x.^){ti  :=  xj)  equals  x.^(ti  :=  xj),  and 


xi=xj  -*  x.^  -*  *-^(xi:=xa), 


follows  from  the  induction  hypothesis  by  Q2*,  Ql,  QS,  and  PROP.  If,  on  the  other  hand, 
X  e  xi  or  X  €  xa,  then  (x.  ^)(xi  :=  xa)  must  be  x.  the  corresponding  inductive  step  holds 
by  PROP. 
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From  now  on,  we  will  often  omit  to  mention  applications  of  PROP  explicitly.  Similarly 
to  our  use  of  PROP,  we  may  refer  to  any  of  Kl-2  and  Ql-4  simply  by  K  or  Q.  We  write 
Q"  if  all  applications  of  the  rule  Q2  are  instances  of  Q2“. 

EQ4  will  be  used  extensively  in  the  completeness  proof,  and  can  be  derived  from  EQ3 

by 

VARl  shows  that  bound  variables  can  be  renamed  at  the  top  level  of  formulas;  it  follows 
from  EQ4  by  Q*  and  QEQ. 

VAR2  generalizes  VARl  and  is  shown  by  structural  induction. 

VAR3  demonstrates  that  adjacent  quantifiers  can  be  combined;  it  follows  from  EQ4  by 
Q"  and  QEQ.  Together  with  Ql,  VAR3  iii:q)lies  that  every  formula  <(>  is  equivalent  to  some 
formula  r.  that  contains  at  most  one  quantifier  per  modal  level;  that  is,  every  quantifier 
in  follows  a  modal  operator.  Alternatively,  any  formula  can  be  put  into  a  normal  form 
in  which  every  quantifier  precedes  a  modal  operator  or  an  atomic  formtila.  B 

Soundness 

Let  $  be  a  set  of  formulas  and  A#  the  intersection  of  all  normal  logics  containing  Clearly, 
A4  is  again  a  normal  logic;  the  formulas  of  $  are  called  the  nonlogical  axioms  of  A«.  lu 
particular,  K  -  A^  is  the  smallest  normal  logic,  and  ±  =  A{y^e},  the  set  of  all  formulas,  is 
the  largest  one.  Our  goal  is  to  show  that  K  is  precisely  the  set  of  all  valid  formulas;  that  is, 
that  the  given  proof  system  is  both  sound  and  complete  for  half*order  modal  logic.  First 
we  show  that  every  formula  of  K  is  true  under  every  interpretation;  the  completeness  proof 
is  deferred  to  the  next  subsection. 

Lemma  5.2  (Soundness)  The  logical  axioms  are  valid.  If  all  of  the  antecedents  of  an 
inference  rule  are  valid,  then  so  is  the  consequent. 

Proof  of  Lemma  5*2  The  soundness  of  PROP,  Kl,  Ql,  EQl-2,  RIGl-2,  and  QEQ 
follows  immediately  from  the  definition  of  truth  under  an  interpretation.  The  argument  for 
K2  is  the  same  as  in  propositional  modal  lo^c. 

To  show  Q3  to  be  valid,  we  use  the  following  fact: 

Af  ^  ^  iff  M[lz]  :=  tt]  ^  for  all  *  ^  ^  and  values  u  of  M. 


\ 


(t) 
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This  can  be  established  by  induction  on  the  structure  of  (p. 

It  remains  to  be  shown  that  Q2  is  sound.  Suppose  that  4>i  =>•■•=>  =>  is  valid 

and  r  ^  for  all  1  <  i  <  n.  Now  consider  an  arbitrary  interpretation  M,  and  show  that 
^  ^  is  true  under  Ad.  Let  sq  be  the  initial  state  of  Ad,  and  let 

So  —*0  Si  ~*o  •  *  •  ~*a  *n- 

Assume  that  the  interpretation  AfUo  •=  sj]  ^  <l>i  for  all  1  <  *  <  n,  and  show  that  x.V’  is 
true  under  Ad[so  :=  Sn]-  Since  ^  •  •  •  =>  ^„  =»  is  valid,  it  is  in  particular  true  under 

Ad[|[i|  :=  |4„|].  By  (f),  we  infer  from  A4[so  :=  4,]  f=  (pi  and  i  4>i  that 


Ad[4o  :=  4i,[x]  :=  |4„|1  |=  4>i 


for  all  1  <  i  <  n.  The  desired  conclusion  Af[4o  :=  4^,  {*]  :=  |4n|]  1=  ^  follows.  ■ 


5.1.3  Completeness 

Our  completeness  proof  is  typical  for  quantified  modal  logics,  and  combines  techniques  from 
both  propositional  modal  logic  and  classical  first-order  logic.  The  organization  of  the  proof 
follows  largely  similar  proofs  that  are  surveyed  by  Garson  [43]. 

•  As  is  common  in  propositional  modal  logic,  we  construct,  for  any  consistent  formula,  a 
model  whose  states  are  maximally  consistent  sets.  The  basic  idea  of  the  construction 
of  tbiK  "canonical”  model  is  to  guarantee  that  all  formulas  that  are  contained  in  a 
state,  are  true  in  that  state. 

•  As  usual  in  Henkin-type  proofs  of  the  completeness  of  classical  first-order  logic,  we 
take  as  the  set  of  values  the  equivalence  classes  of  terms  under  equality  (which  requires 
the  ripdity  of  terms)  [55]. 

A  completeness  condition  has  to  be  put  on  the  maximally  consistent  sets  to  assure  that 
all  of  them  have  values  associated  with  them.  So  in  order  to  give  the  canonical-model 
construction,  we  have  to  develop  the  notions  of  consistency  and  completeness  of  sets  of 
formulas  first. 
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Consistent  sets 

Given  a  normal  logic  A,  we  write  $  ^  iff 

— ►  .  .  .  --4  ^  £  A 

for  some  finite  subset  |  1  <  i  <  n}  of  $,  and  (f>iS  <p  £  A.  Throughout  this  subsection, 
we  assume  A  ^  A  to  be  fixed,  and  suppress  the  subscript  of  the  derivability  relation  h  * 
The  concept  of  consistency  is  the  familiar  one.  A  set  §  of  formulas  is  called  consistent 
iff  $  f/  false;  it  is  maximally  consistent  iff,  furthermore,  either  ^  6  §  or  €  #  for  all 
formulas  The  following  lemma  is,  as  usual,  established  using  PROP. 

Lemma  5.3  (Consistency)  For  every  set  #  of  formulas  and  formula  4>: 

(1)  ^\J  is  consistent  iff  ^  V 

(2)  If  §  is  consistent,  then  either  $  U  {^}  or  $  U  is  consistent, 

(3)  For  any  maximally  consistent  set  ^  ^  §  or  ^  6  f. 

Complete  sets 

By  ^  —  X  we  denote  a  set  of  formulas  that  result  from  binding  all  free  occurrences  of  x 
in  ^  by  a  single  quantifier.  More  precisely,  ^  —  x  is  the  smallest  set  satisfying  the  following 
condition:  if  ^  is  of  the  form 


where  x  ^  for  all  1  <  t  <  n,  then 

^  =>  ...  =>  x,it;  €  ^-x. 

Note  that,  in  particular,  x.^  €  ^  -  x. 

A  set  i  of  formulas  is  complete  iff  $  I-  4>[x  :=  x]  for  all  terms  x  implies  §  H  for 
all  ^  -  X.  By  part  (1)  of  Lemma  5.3,  it  follows  that  completeness  is  equivalent  to 
the  condition  that,  if  $  U  is  consistent  and  ip*  £  ^  —  x  for  some  formula  (p  and 

variable  x,  then  there  is  a  term  x  such  that  §  U  :=  x]}  is  consistent.  In  particular, 

the  completeness  of  a  set  $  ensures  that,  whenever  §  contains  the  formulas  ^[x  :=  x] 
for  all  terms  x,  then  #  entails  x.  0.  This  means,  intuitively  speaking,  that  some  term  x  is 
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interpreted  ss  the  Vcdue  of  the  current  state.  The  general  form  of  the  completeness  condition 
is  necessary  to  guarantee  this  property,  which  allows  us  to  assign  terms  as  values  to  complete 
sets,  for  all  states  in  the  canonical  model. 


Saturated  sets 

Maodmally  consistent,  complete  sets  of  formulas  are  called  saturated.  Given  a  consistent 
formula  we  will  de%ie  a  model  for  whose  states  are  satmated  sets.  Part  (1)  of 
the  following  lemma  ensures  that  is  contained  in  some  saturated  set,  while  part  (2) 
guarantees  that  that  there  are  enough  such  sets  for  constructing  a  model.  Note  that  the 
general  form  of  the  quantifier  introduction  rule  Q2  is  needed  to  show  the  former. 

Lemma  5*4  (Existence  of  saturated  extensions) 

(1)  Every  fijiite  consistent  set  of  formulas  has  a  saturated  extension. 

(2)  Every  complete  consistent  set  of  formulas  has  a  saturated  extension. 

Proof  of  Lemma  5.4  Both  parts  are  shown  by  applying  variants  of  the  Lindenbaum 
procedure  to  extend  a  consistent  set  $o  ^  maximally  consistent  set  $.  Enumerate  all 
formulas  ^ ,  and  let  ,  for  all  i  >  0,  be  either  if  this  set  is  stiU  consistent, 

or  U  otherwise.  Each  set  is  consistent  by  part  (2)  of  Lemma  5.3,  implying  that 


#  =  (jfi 

*>o 


is  maximally  consistent. 


(1)  Suppose  that  $o  is  finite.  Then  we  can  guarantee  the  completeness  of  f  as  follows: 
whenever  is  extended  by  a  formula  and  ^  *  for  some  formula  variable  * , 
then  we  add  also  :=  y],  for  some  new  variable  y  ^  U  {^}.  Although  at  every  stage 
several  new  formulas  may  be  addrd,  each  set  ii  is  finite,  which  assures  the  existence  of  new 
variables  at  all  future  stages.  It  remains  to  be  shown  that  this  process  preserves  consistency. 
Assume  that  §  U  •=  v]}  is  inconsistent;  that  is, 

H  “»^[z  :=  y]  false  (t) 

for  some  conjunction  if  of  formulas  in  i.  We  derive  a  contradiction,  by  showing  that,  in 
this  case,  already 

H  ->4>'  -*  false,  (}) 


188 


CHAPTER  5.  DEDUCTIVE  VERIFICATION:  GENERAL  PART 


implying  the  inconsistency  of  §  U  Let  <^'  be  (^i  =>••  =>  ^„  =>  x.  ti,  with  x  ^  4>i  for 

all  1  <  i  <  n.  Use  Q  to  infer  from  (f)  that 

!-$/-►  =>  ...  ri.  :=  y], 

and  conclude  (J)  by  VAR2  and  PROP. 

(2)  First  we  show  that,  if  a  .set  $  is  complete,  then  so  is  #  U  {<i>}.  Assume  that 

$  U  {^}  h  <filx  :=  ir] 

for  all  terms  x,  let  x  be  such  that  x  ^  (p  and  (p'  E  <p  ~  x',  by  VAR2  it  suffices  to  show  thai 
§  U  {^}  h  tp'.  From  our  assumption,  it  follows  by  PROP  that 

$  h  ^  ►  ip[x  :=  x] 

for  all  terms  x;  hence  #  h  ^  by  the  completeness  of  $  (and  Q",  in  case  <p'  equals 

*.  ^).  The  desired  conclusion  follows. 

Now  suppose  that  §o  is  complete.  Then  all  the  finite  extensions  §j,  t  >  0,  are  complete; 
that  is,  whenever  §,•  is  about  to  be  extended  by  the  formula  and  6  ^  -  x  for  some 
formula  (p,  there  exists  a  term  x  such  that  U  :=  x]}  is  consistent.  We  extend 

in  this  fashion,  and  continue  the  Lindenbaum  process  by  checking  whether  can  still  be 
added  consistently.  Since  every  formula  contains  only  a  finite  number  of  quantifiers,  each 
stage  is  completed  within  a  finite  number  of  steps.  B 

In  the  canonical  model,  the  value  associated  with  a  state  (saturated  set)  s  containing 
X.  X  =  X  will  be  the  equivalence  class  of  the  term  x  under  equality.  The  next  lornTna 
guarantees  that  such  a  term  exists  (part  (4)),  and  that  equality  is  a  congruence  relation 
(parts  (1)  to  (3)). 

Lemma  5.5  (Value  of  saturated  sets)  For  every  saturated  set  s  of  formulas: 

(1)  {(xi,X2)  I  xj  =  X2  €  s}  w  an  equivalence  relation. 

(2)  xi  Si,,  implies  that  /xi  ss,  /x2  for  all  f  £  F. 

(3)  xi  ss,  X2  and  pxj  €  a  implies  pr^  €  s  for  all  p  £  R. 

(4)  {x  I  z.x  =  X  €  a}  =  [x]s.,  for  some  term  x. 
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Proof  of  Lemma  5.5  Parts  (1;,  (2),  and  (3)  follow  from  EQ. 

(4)  QEQ  and  Q4  imply  that  ->y.  ->x.y  =  x  e  s.  Since  s  is  complete,  x.ir,  =  x  €  s  for 
some  term  not  containing  i;  thus  x.  x  =  ir,  G  s  by  EQ  and  Q”.  From  EQ4: 

x.x  =  iri  -*  (s.*=tr2  tri=ir2), 

we  infer  that  [x,]*,  =  {x  |  *.i  =  x  €  «}•  0 


Canonical  model 

Now  we  are  ready  to  define  the  cdnonical  model  fov  a  given  consistent  formula  0o* 

M{(^o)  =  (S,-»o,T,||,|I*]«ev,I/l/6r.IPlpe/i.«o) 
be  an  interpretation  such  that: 

•  30  is  a  saturated  extension  of  By  ss  we  denote 

•  S  is  the  set  of  saturated  sets  5  with  %,  =  ss. 

•  s  — »D  t  iff  ^  €  t  for  all  €  3. 

•  T  is  the  set  of  equivalence  classes  [x]--. 

•  |s|  =  {x  I  x.*  =  X  €  «}. 

•  W  =  [®]=- 

•  [x]s:  G  bl(^)  iff  G  5. 

Note  that  the  interpretation  M((po)  «  well-defined:  a  saturated  extension  of  {^0}  exists 
by  part  (1)  of  Lemma  5.4;  Lemma  5.5  guarantees  that  ss  is  an  equivalence  relation,  that 
|s|  €  T,  and  that  I/I  and  [p]  are  properly  defined. 

The  values  of  the  canonical  model  are  equivalence  classes  of  terms  under  equality.  It 
is  straightforward  to  show,  by  structural  induction,  that  all  terms  are  interpreted  as  them¬ 
selves,  modulo  equality. 

Lemma  5.6  (Term  model)  fx]  =  [x]a. 

The  states  of  the  canonical  model  are  saturated  sets.  The  fallowing  main  theorem  shows 
that  every  state  s  of  X(^o)  contains  precisely  the  formulas  that  are  true  at  s.  Since  ^0  G  soi 
it  follows  immediatdy  that  the  interpretation  M{(j>o)  is  a  model  of 
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Theorem  5.1  (Canonical  model)  Lei  M  be  a  canonical  model  {of  any  formtUa)  with 
the  initial  state  Then  (i>  £  s  iff  Mho  b  ^  for  every  state  $  of  M  and  every 

formula  <i>. 

Proof  of  Theorem  5.1  We  apply  induction  on  the  structure  of  4>.  The  atomic  cases  fallow 
from  Lemma  5.6.  The  propositional  cases  are  consequences  of  the  induction  hypothesis  and 
part  (3)  of  Lemma  5.3. 

If  E  s  and  s  — t,  then  (p  £  s  and,  by  the  induction  hj'pothesis,  M[so  :=  s]  |=  <p. 
Now  assume  that  D<p  ^  s  —  that  is,  €  a  — ,  and  show  that  M[so  :=  s]  O^.  This 
follows  from  Lemma  5.8  (see  below)  by  the  induction  hypothesis. 

For  the  quantifier  case,  choose  a  term  such  that  x.x  =  €  s.  Consequently,  we 

have  that  M[sq  :=  s]  [=  z.  ^  iff  A^[.5o  •=  W  l^ol]  N  ^  ^7  Lemma  5.7  (given  below), 

M[so  :=  s]  1=  (f>[x  :=  r^]  iff,  by  the  induction  hypothesis,  ^[z  :=  Tg]  E  s.  From  £Q4: 

z.z=7r,  — »  (z.^  ^  ^[x  :=  r,]), 

we  conclude  that  A^[So  :=  s]  1=  z.^  iff  z.  0  E  «.  ■ 

In  the  proof  of  Theorem  5.1,  we  invoked  the  following  two  lemmas.  To  show  that 
substitution  behaves  as  expected,  can  be  done  by  straightforward  structural  induction. 
To  show  that  there  are  enough  states  in  the  canonical  model,  we  use  the  fact  that  every 
complete  consistent  complete  set  has  a  saturated  extension. 

Lemma  5.7  (Substitution)  Ad[|z]  :=  |w|]  \=z  ^  iff  M  \=i  (p[x  ;=  t]. 

Lemma  5.8  (Succession)  If  s  eX  and  E  a,  then  there  u  a  t  E  T  such  that  s  t 
and  E  t. 

Proof  of  Lemma  5.8  Suppose  that  5  E  L  and  E  s.  Let 

i  =  {rp\Dip  £s)u  {-‘0}. 

We  show  that  §  is  (1)  consistent  and  (2)  complete.  Thus,  a  saiorated  extension  t  of  §  exists 
by  part  (2)  of  Lemma  5.4;  furthermore,  t  E  S  because  =  as,  by  EIG1*2,  and  s  t  by 
the  definition  of 
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(1)  Suppose  that  $  is  inconsistent,  that  is, 

Vi  Vvi  -*  -*  false 

for  some  dVi  €  *,  1  <  *  <  n.  By  K2  and  repeated  application  of  Kl, 

fabe)  €  a, 

implying  that  3^  €  a  (use  K).  Since  also  ->0<^  €  a,  it  follows  that  s  is  inconsistent,  a 
contradiction. 

(2)  Assume  that  i  i-  <p[x  :=  r]  for  all  terms  x,  let  x  be  such  that  i  ^  ^  and  v>'  € 
by  VAS.2  it  suffices  to  show  that  $  H  (p'.  Similarly  to  part  (1),  by  K  it  follows  that 

□(-1^  — *  (p[x  x])  6  a 

for  all  X.  Hence  a(->(^  -♦  /)  €  a  by  the  conQ)leteness  of  a  (if  vs'  equals  x.  ip,  use  Q’  and 
K),  and  V»'  €  f  by  the  definition  of  $.  Since  also  €  9,  we  conclude  that  §  I-  ip'. 

B 

Thus  we  have  shown  that  every  consistent  formula  is  satisfiable  by  the  corresponding 
canonical  model  M{-^<p).  By  part  (1)  of  Lemma  5.3,  it  follows  that  K  ^  for  every  valid 
formula  (f>.  Recall  that  we  have  assumed  an  arbitrary  normal  logic  A;  thus  K  contains 
precisely  all  valid  formulas: 

Corollary  5.1  (Completeness)  A  formula  ^  of  half-order  modal  logic  is  valid  iff^e  K; 
that  is,  (p  iff 

We  remark  that  it  is  an  interesting  open  question  under  which  conditions  the  general 
form  of  the  quantifier  introduction  rule  Q2  can  be  replaced  by  the  simpler  rule  Q2".  We 
conjecture  that  this  is  case  for  all  normal  logics  A#,  such  as  K,  whose  set  §  cf  nonlogical 
axioms  satisfies  certain  closure  properties. 

5.1.4  Syntactic  and  semantic  extensions 

In  order  to  treat  the  real-time  temporal  logic  TPTL  as  a  half-order  modal  logic,  we  admit 
multiple  modal  operators  and  senoantic  restrictions  on  the  corresponding  accessibility  rela¬ 
tions.  By  axiomatiting  accessibility  relations  that  are  equivalence  relations,  we  show  that 
half-order  modal  logic  subsumes  first-order  classical  logic. 
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Multimodal  logics 

Hslf-ordcx  vcTsions  of  logics  arc  straightforwardly  defined  by  admitting  several 

modal  operators  C,  in  the  syntax.  An  interpretation  contains,  accordingly,  a  separate 
accessibility  relation  C  for  each  operator  . 

Multimodal  normal  logics  are  closed  under  the  axiom  schemata  Kl^,  RIG1«,  and 
RIG2i,  as  well  as  the  inference  rules  K2t:  one  for  each  modal  operator  Cj,-.  As  for  the 
inference  rule  Q2,  consider  every  formula  ^  for  any  operator  ,  to  be  of  the  form 

=>  For  example,  if  r  ^  then  from 


Di  (d>2  C2t&) 

"vt  may  infer 

Ci(^  —  022.  V^). 

The  completeness  proof  given  above  is  easily  generalized  to  show  that  multiinodal  K  (the 
smallest  multimodal  normal  logic)  contains  precisely  all  valid  formulas. 


Accessibility  conditions 

It  is  often  useful  to  consider  only  a  certain  class  C  of  interpretations  for  half-order  model 
logic.  We  say  that  a  formula  ^  is  C^validj  and  write  C  ^  0,  iff  ^  is  true  under  all  interpre¬ 
tations  in  C ;  we  also  write  $  K  ^  for  ^  €  A* .  A  set  $  of  nonlogical  axioms  is  sound  for  the 
class  C  of  interpretations  iff 

#  f“  ^  inqplics  C  ^ 
for  all  formulas  This  is  the  case  if 

1.  C  ^  ^  for  all  nonlogical  axioms  ^  €  4^,  and 

2.  all  inference  rules  arc  sound  for  C;  that  is,  if  the  antecedent  of  K2  or  Q2  is  C-valid, 
then  so  is  the  consequent. 

The  set  $  of  nonlogical  axioms  characterizes  the  class  C  of  interpretations  completely  iff 

C|=^  iff 


for  all  formulas 
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Here  we  restrict  ourselves  to  classes  C  of  interpretations  whose  accessibility  relations 
— satisfies  a  certain  condition  C,  and  add  nonlogical  axioms  to  our  proof  system  so  that 
all  C*  valid  formulas  can  be  derived.  For  example,  consider  the  class  REFl  of  interpretations 
with  a  reflexive  accessibility  relation.  The  reflexive  interpretations  REFL  clearly  satisfy  all 
formulas  of  the  form 

REFL  0^ 

In  order  to  show  that  adding  these  formulas  as  nonlogical  axioms  does  not  exclude  any 
reflexive  interpretations,  we  have  to  prove  that  all  inference  rules  axe  sound  for  REFL.  An 
inspection  of  the  proof  of  Lemma  5.2  reveals  that  the  inference  rules  are  sound  for  any 
class  C  that  is  determined  solely  by  a  condition  on  the  accessibility  relation.  To  show 
that  the  chosen  nonlogic^  axioms  are  sufBcient  to  characterize  reflexive  interpretations 
completely,  simply  observe  that,  with  the  axiom  schema  REFL,  the  accessibility  relation 
of  the  canonical  model  is  reflexive.  It  follows  that 

REFL\=(^  iff  REFLh^ 

for  all  formulas  The  other  parts  of  the  following  lemma  ate  established  similarly.  (In 
fact,  the  proofs  are  identical  to  the  corresponding  arguments  for  propositional  modal  logic, 
and  can,  for  example,  be  found  in  [46].) 

Lemma  5.9  (Accessibility  conditions)  The  following  nonlogical  axiom  schemata  char¬ 
acterize  the  corresponding  conditions  on  the  accessibility  relation  — C  E*  completely. 

•  Reflexivity:  -♦ 

•  Symmetry:  -*  DO^. 

•  TVannts'vity:  — »  DO^. 

•  Seriality  and  functionality  (for  all  s  €  E  there  is  a  [unique]  t  €  E  such  that  a  -*o  t): 

and  «-»  O^. 

a  Weak  connectivity  (s  -tq  t  and  s  -*o  t*  ixt^lie*  that  t  -*0  ^  or  t  =  t'  or  f'  — t); 
□((^  A  D^i)  -♦  V  □((^  A  O^)  — »  ^). 
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Embedding  classical  logic 

have  seen  that  half-ordcr  modal  logic  corresponds  to  a  fragment  of  first-order  modal 
logic,  because  the  frecre  quantifier  can  be  expressed  by  conventional  quantification  in  com¬ 
bination  with  a  state  variable.  Alternatively,  half-order  modal  logic  can  be  viewed  as  a 
generalization  of  first-order  classical  logic.  By  showing  how  to  embed  classical  first-order 
logic  faithfully  into  a  half-order  normal  logic,  we  prove  the  undccidability  of  the  latter  one. 

Suppose  that  all  predicates  are  rigid.  Then  we  can  read  the  combination  “Dx.  ”  of  a 
modal  operator  and  the  freeie  quantifier  as  a  universal  quantifier  with  restricted  scope: 
it  ranges  only  over  the  values  of  adjacent  states.  Similarly,  “Ox.”  can  be  viewed  as  a 
local  existential  quantifier.  By  pursuing  this  idea,  we  see  that  ordinary*  quantifiers  axe 
representable  in  a  half-order  modal  logic  with  a  universal  accessibilty  relation,  that  is,  in 
whose  models  every  state  is  accessible  from  every  other  state. 

Let  RIGiD-S5  be  the  smallest  normal  logic  containing  the  following  nonlogical  axioms: 

SYMM  <(>  ^  DOi^, 

TRANS  D4>  —  DD<f>, 

RIG3  pf  ^  Opf  {cr  an  p  £  R, 

EX  Ox.x  =  ir. 

Note  that  in  the  presence  of  EX,  which  implies  O  trite,  the  schema 
REEL  D<^  —  ^ 

is  derivable  from  SYMM  and  TRANS,  while  SYMM  and  R1G4  imply 
RIG4  for  all  p  €  R* 

Together,  the  schemata  REEL,  SYMM,  and  TRANS  characterize,  as  for  the  propo¬ 
sitional  modal  logic  S5,  accessibility  relations  that  are  equivalence  relations.  The  axiom 
schema  EX  assures  that  enough  states  are  accessible  (i.e.,  in  the  same  equivalence  class  as 
the  initial  state).  RIG3  and  RIG4  assert  that  all  relation  symbols  are  rigid. 

Let  ^  be  a  classical  formula  over  the  first-order  language  (F,  R),  and  let  the  formula 
of  half-order  modal  logic  that  results  from  replacing  all  quantifiers  Vx.  and  3x.  by  Ox.  and 
Ox. ,  respectively.  The  following  theorem  states  that  this  translation  preserves  validity. 
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Proposition  5.1  (Embedding  of  classical  logic)  A  formula  ((>  of  first-order  classical 
logic  is  valid  iff  the  formtda  fP  of  half-order  modal  logic  is  contained  in  RIGID-S5. 

Proof  of  Proposition  5.1  (1)  First  we  show  that 

-  D(fP  €  RIGID-S5  (t) 

for  any  classical  first-order  formula  if>.  We  proceed  by  induction  on  the  structure  of 
assuming  that  all  negations  in  <p  have  been  pushed  inside  in  front  of  atomic  formulas.  If  ^ 
is  an  atomic  formula  or  its  negation,  use  one  of  RJGl-4.  The  propositional  cases  follow 
from  the  induction  hj’pothesis  by  K.  If  ^  is  of  the  form  V*.  i/>,  then 

ax.V’°  -♦  DDz.d>° 

holds  by  TRANS.  Finally,  suppose  that  the  outermost  symbol  of  ^  is  an  existential  quan¬ 
tifier.  In  this  case  the  inductive  step  is  an  instance  of  -♦  OO^,  which  follows  from 
SYMM  and  TRANS  by  K. 

Now  assTune  that  ^  is  provable  by  a  complete  Hilbert-style  proof  system  for  the  first- 
order  predicate  calculus,  say  the  one  given  in  the  textbook  by  Enderton  [38].  Any  classical 
deduction  of  ^  (in  the  given  proof  system)  can  be  transformed  into  a  half-order  modal 
derivation  of  d>°,  thus  implying  that  6  RIGID-S5.  The  only  interesting  case  u  the 
derivation  of  the  translation  of  the  classical  quantifier  axiom  w]  Bx.V'  hi 

RIGID-S5:  from  EQ4,  by  K  infer 

Oz.z  =  »  -♦  □t^°[z:=»]  -*  Ox.tiP, 

which  implies  tA®[z  :=  sr]  Oz.  sfP  by  EX  and  (f)- 

(2)  The  second  direction  of  the  theorwn  is  shosm  by  semantic  reasoning.  Assume  that 
4P  e  RIGID-S5;  we  show  that  ^  is  true  under  an  arbitrary  classical  first-order  interpre¬ 
tation  I.  Define  the  class  Cj  of  interpretations  for  half-order  modal  logic  to  contain  all 
interpretations 

Mt  -  (S,-»o,T,|1,Iz]j,[/]1/,Ip1,<o) 

such  that 


•  both  E  and  T  are  the  universe  of  7, 
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•  -♦a  ==  is  tinivcrsal, 

•  II  is  the  identin’  (i.c.,  \$\  =  j),  and 

•  M  ^  b](^)  iff  M  ^  b]/i 


where  |rj/,  ||/|/,  and  [p|/  are  the  assignment  functions  of  I  for  variables,  function  symbols, 
and  relation  symbols,  respectively.  Since  any  state  of  Mj  can  be  taken  to  be  initial,  we 
obtain  a  set  Cj  of  interpretations.  It  is  not  hard  to  sec  all  interpretations  in  C/  satisfy 
the  nonlogical  axioms  of  RIGID-S5,  and  that  all  inference  rules  arc  sound  for  the  class  C/. 
Furthermore, 

iff  7^^* 

The  theorem  follows.  @ 


Since  classical  iirst*order  logic  is  undecidable,  so  is  RIGID-S5.  This  shows  that  axiom- 
atLsablc  half-order  normal  logics  are  not  necessarily  decidable.  On  the  other  hand,  it  is 
not  hard  to  see  that  every  satishable  formula  ^  of  half-order  logic  is  satisiiable  under  an 
interpretation  that  contains  only  a  boimded  finite  number  of  states  and  a  finite  number  of 
values  (at  most  one  for  every  state  and  one  for  every  term  in  <f>).  It  follows  that  K  itself  is 
decidable  in  the  half-order  case. 


5.2  Half-order  Temporal  Logic 

In  tUs  subsection,  we  study  half-order  extensions  of  the  linear  propositional  ten:q>oral  logic 
PTL.  The  semantics  of  half-order  temporal  logic  is  restricted  to  interpretations  with  a  state 
structure  that  is  isomorphic  to  the  natural  numbers  N;  these  “temporal”  interpretations  are 
essentially  infinite  sequences  of  states.  The  syntax  of  half-order  temporal  logic  contaiiu  two 
modal  operators:  the  next  operator  Qi  which  is  interpreted  as  “at  the  inunediate  successor 
state,”  and  the  always  qrerator  □  meaning  “at  all  successor  states.” 

We  show  that,  unlike  in  the  propositional  case,  there  caimot  exist  a  ccanplete  half-order 
proof  system  for  temporal  structures  in  general.  Yet  we  introduced  a  decidable  half-order 
temporal  logic,  TPTL,  for  the  specification  and  verification  of  real-time  systems.  The 
decidability  of  TPTL  is  due  to  a  careful  choice  of  both  the  set  of  values  (monotonically 
inaeasing  natural  numbers)  and  the  corresponding  operations  (the  tero  and  successor  func¬ 
tions,  and  the  order  relation  on  N).  Here  we  extend  our  proof  system  for  half-order  K  to 
obtain  a  complete  proof  system  for  TPTL. 
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5.2.1  Syntax  and  semantics 

The  fommlas  of  timed  tcmpoml  logic  (TPTL)  are  the  formulas  of  half-order  modal  logic 
with  the  two  modal  operators  Q  □,  where 

•  the  set  F  of  function  symbols  contains  only  the  constant  symbol  0  and  the  unary 
function  symbol  5  (as  in  5uccessor),  and 

•  the  set  R  of  relation  symbols  contains  only  propositions  P  (i.e.,  relation  symbols  that 
take  no  arguments)  and  the  binary  relation  symbol  <  (recall  that  equality  is  included 
in  all  half-order  modal  logics). 

Abbreviations  such  as  <  and  +5  are  defined  as  usual.  We  omit  congruence  relations  to 
simplify  our  discussion.  The  until  operator  Id  will  be  added  later.  While  all  formulas  of 
TPTL,  as  defined  in  Chapter  3,  used  to  be  closed,  we  admit  now  free  variables  and  interpret 
them  universally  over  the  time  domain  N  (as  “parameters”). 

TPTL  is  interpreted  over  digitally  timed  state  sequences,  which  are  temporal  structures 
whose  values  are  monotonically  increasing  natural  numbers.  More  precisely,  a  (digitally) 
timed  state  sequence  is  an  interpretation 

for  half-order  modal  logic  such  that 

•  — »Q  imposes  a  linear  order 

(To  — >0  <^1  ~*0  ”*0  ■ '  ■ 

on  the  set  I  =  {aj  | »  >  0}  of  states, 

•  -♦o  is  the  reflexive  transitive  closure  of  —*0, 

•  kil  <  k»+tl  for  all  i  >  0, 

•  for  all  n  €  N,  there  is  some  t  >  0  such  that  |(rj|  >  n, 

•  0  denotes  *ero  (i.e.,  I0|  =  0), 

•  S  denotes  the  successor  function  on  N  (i.e.,  I5|(n)  =  n  +  1),  and 

•  <  rigidly  denotes  the  order  relation  on  N  (i.e.,  [<l(o'>m>tt)  iff  m  <  n). 
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We  denote  the  set  of  timed  state  sequences  by  r5S|^  or  simply  755^. 

The  correspondence  with  the  previous  definition  of  timed  state  sequences  is  obvious: 
any  timed  state  sequence  can  be  viewed  as  an  infinite  sequence  of  states  (Ti  C  P,  for  i  >  0, 
together  with  an  assignment  function  for  the  variables.  Eatch  of  the  states  specifies  the 
propositions  that  are  true  in  that  state  (let  p  6  cTj  iffcTi  €  [[p]),  and  has  a  value  |^i|  associated 
with  it.  The  values  satisfy  the  monotonicity  condition  that,  for  all  t  >  0, 

\cri\  < 

and  the  progress  condition  that,  for  all  n  €  N,  there  is  some  i  >  0  such  that 

[(Til  >  n. 

Both  conditions  are  motivated  by  the  original  design  of  TPTL  as  a  real-time  logic:  the 
values  that  are  associated  with  the  states  can  be  interpreted  as  time-stamps;  think  of  state 
(T  as  representing  the  state  of  a  system  at  time  |(t|.  From  this  point  of  view,  the  freeze 
quantifier  binds  the  associated  variable  *  to  the  “current”  time. 

Recall  that,  even  though  time  is  discrete,  the  notion  of  “next  time”  is  entirely  indepen¬ 
dent  of  “next  state” ;  successive  states  may  have  the  same  or  vastly  different  times  associated 
with  them,  as  long  as  the  time  does  not  decrease.  If  desired,  the  requirement  that  the  time 
increases  always  by  1  between  successive  states,  and  thus  acts  as  a  state  counter,  can  be 
expressed  within  TPTL,  by  the  formula 

□s.  Oy  y  =  *  +  !•  (^+i) 


5.2.2  Proof  system 

We  extend  the  proof  system  for  half-order  K  by  axioms  for  timed  state  sequences.  The 
following  three  axiom  schemata  completely  characterize  temporal  structures  in  propositional 
temporal  logic  [40]: 

LINl  0“’^ 

LIN2  ^  A  0°^. 

Lmz  ^  -  D(^  -4  0^) 
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Note  that  LINl  asserts  the  functionality  of  -*q,  and  that  LIN2  iromediately  implies 
REFL;  C<p  -»  4>.  LINS  gives  an  induction  principle. 

In  addition,  we  need  a  set  of  axioms  that  allows  us  to  derive  all  universal  sentences  of 
the  decidable  classical  first-order  theory  of  (N,0,5,<).  For  instance,  the  following  group 
of  NAT  axioms  from  the  texbook  by  Enderton  has  this  completeness  property,  as  can  be 
shown  by  a  quantifrer  elimination  procedure  [38]: 

NATl  X  <  Sy  <-*  X  <y, 

NAT2  *<yVi  =  yVy<*, 

NATS  X  <y  -*  y  *, 

NAT4  X  <  y  -  y  <  z  -*  x  <  x, 

NATS  xitO. 

The  axiom  MON  states  that  the  time  is  monotonically  increasing  from  state  to  state; 
the  axiom  schema  PRO  asserts  that  time  diverges  and  assures  that  all  free  variables  are 
interpreted  as  finite  natural  numbers: 

MON  I.  O  y-®  ^  y» 

PRO  Ox.x>>y, 

RIGS  Ti  <  Tj  — ►  O”"!  <  *’2- 

RIGS  is  sufficient  to  guarantee  the  rigidity  of  <  (see  the  upcoming  lemma  on  sample 
theorems). 

Let  TPTL  be  the  set  of  formulas  consisting  of  LINl>3,  NATl-5,  MON,  PRO,  and 
RIGS.  We  show  that  TPTL  is  the  smallest  normal  logic  that  contains  the  nonlogical 
axioms  TPTL;  that  is, 

rS5"|=^  iff  TPTLh^ 

for  every  formula  ^  of  TPTL.  It  is  straightforward  to  convince  yourself  that  every  nonlogical 
axiom  is  T55"-valid  (i.e.,  true  in  all  timed  state  sequences).  Moreover,  as  timed  state 
sequences  are  closed  under  suffixes,  all  inference  rules  are  sound  for  755".  Before  proving 
completeness,  we  derive  some  additional  formulas  that  will  be  useful  later. 
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Sampls  proofs 

The  following  theorems  can  be  proved  purely  propositionally  (see,  for  example,  [46]  for  the 
derivations): 

TRANS  -* 

LIN4  D<p  (P  A  Qn<l>, 

LINS  0(0^  -♦  ^,)  V 

LIN6  —  04>)  —  —  oa<^  -♦  0(t>. 


Lemma  5.10  (Sample  theorems  of  TPTL)  Any  normal  logic  that  is  closed  under  the 
axioms  TPTL  contains  the  following  formulas  of  TPTL; 

MON'  x.Dy.x<y. 

RIG6  ^  wj  -♦  O’fi 
RIG7  wj  <  wj  — ^  Dxi  <  xj. 

RIGS  Xj  Xj  —*  Dxj  Xj. 

TSSl  □*.  Oy-y  =  *  “♦  ®. Dy. y  =  *. 

TSS2  r. Dy. y=®  — »  (®.G^  Ox.4>)- 


Proof  of  Lemma  5.10  MON'  generalizes  the  monotonicity  axiom  MON.  Its  proof 
demonstrates  the  application  of  the  induction  schema  LINS.  By  applying  Q*  to  LINS,  it 
suffices  to  derive  the  “base  case” 

®.y.x  <  y 


and  the  “inductive  step” 

*. □(y.®<y  -*  Oy.x<y). 

The  base  case  follows  from  QEQ  by  Q*  (let  us  begin  to  suppress  to  mention  applications  of 
the  equality  axioms  £Q).  To  show  the  inductive  step,  by  Q2*  and  K23  it  suffices  to  derive 


»•*<»  -♦  Oy-*^  y- 


NAT: 


*<y  -►  y<«  -»  *<*• 


By  Q*  and  Kq: 


0*Sy  -*  0**y^*  ’■*  0*-*  ^ 
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By  RIGl-2o,  RIGS,  and  Q*: 

y.x  <y  y.  Oz.y<z  -*  * 

The  desired  conclusion  follows  by  MCN,  REFL,  and  VAR2. 

B1G6  can  be  inferred  from  NAT; 

*•1  ^  (’Tl  =  ITS  V  ffj  <  Ti) 

by  RIGIq,  rigs,  and  Kq-  RIG7  (and  RIGS)  follow  from  LINS  by  RIGS  (RIG6, 
respectively)  and  K2o.  Note  that  the  rigidity  axioms  RIG1>2d  are  similarly  derivable 
from  R1G1>20,  and  thus  can  be  omitted. 

TSSl  is  again  derived  by  induction.  By  applying  Q“  to  LINS,  it  suffices  to  derive  the 
base  case  x.y.y  —  x,  which  holds  by  QEQ,  and  the  inductive  step 

Ox.  Qy.y  =  x  -*  i.D(y.y  =  x  -*  Qy.y  =  x). 

Using  Q",  Kdi  and  VAR2,  it  suffices  to  show  that 

y.  Qz.z^y  -*  y.y  =  x  —  Qz.z-x, 

which  follows  from  EQ4  by  Q". 

TSS2  follows  from  EQ4  by  Ko  and  Q".  O 

Updating  time  references 

Let  Nexts  and  Next>^  be  abbreviations  for  the  two  formulas 

X-  Qy-y-x  +  S, 

X.  Oy.y>x  +  A, 

respectively,  which  assert  that  the  time  difference  between  the  current  state  and  its  successor 
state  is  exactly  f  €  N  (greater  than  A  €  N,  respectively).  These  time*difference  formulas 
will  be  used  to  update,  in  TPTL-formulas,  references  to  the  times  of  previous  states.  For 
example,  the  formula  x.  Drj>  holds  in  a  state  that  contains  Nexts  iS  x.rl>  is  true  in  that 
state  and,  intuitively  speaking,  “x.  0^[x  :=  z  —  5]”  is  true  in  its  successor  state.  If  f  is 
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greater  than  the  number  of  successor  symbols  occurring  in  rp  and  x.'tp  is  closed,  then  the 
monotonicity  of  time  can  be  exploited  to  simplify,  to  true  or  false^  all  timing  constraints  in 
“r.  Dxplx  :=  2  -  #]”  that  refer  to  the  current  time  x. 

Let  2.  ^  be  a  closed  formula  of  TPTL.  As  in  Chapter  4,  we  write  x.  (p^  for  the  TPTL- 
fonnula  that  expresses  the  condition  :=  x  ~  f]”;  that  is,  results  from  x,<f>  by 

updating  all  references  of  <{>  to  the  current  time  x  by  the  time  difference  S.  From  now 
on,  whenever  we  write  x,<p^^  there  is  an  implicit  condition  that  the  formula  x.cp  is  closed. 
According  to  Lemma  4.1,  we  have  that 

M[x  :=  Iffol  -  ^]  N  ^  iff  M)=  z.4>^ 

for  every  time  difference  5  €  N  and  timed  state  sequence  Ad  with  |<7o|  >  S,  On  the  syntactic 
side,  we  have  to  make  sure  that  our  proof  system  is  strong  enough  to  derive  the  following 
facts  about  the  updating  of  time  references. 


Lemma  5.11  (More  theorems  of  TPTL)  Let  A  he  the  number  of  successor  symbols  in 
the  formula  (p  of  TPTL.  Any  normal  logic  that  is  closed  tinder  the  axioms  TPTL  contains 
the  following  formulas  {let  x  be  different  from  y): 


UPDl 

y.y  =  x  +  S  (^[y:=x]  - 

UPD2 

y.y>  x  +  A  -*  ((^[y  :=  x] 

UPD3 

Nextf  — »  (*.  0  ^  ^  0®- 

UPD4 

Next>^  -*  (*.  0  ^  ^  O' 

CLOCK 

(Vo<«<A V  Nexi^i,. 

Proof  of  Lemma  5.11  UPDl  and  UPD2  constitute  the  syntactic  counterpart  to  the 
time-step  lemma,  Lemma  4.1;  they  capture  the  essence  of  the  definition  of  z.  The  proofs 
of  UPDl  and  UPD2  proceed  by  induction  on  the  structtire  of  Consider  UPDl.  By 
Q*  it  suffices  to  derive 

y  =  x  +  S  -*  (^[y:=*]  /). 

The  base  cases  follow  from  NAT.  We  present  only  the  inductive  step  that  introduces  a  new 
quantifier.  By  the  condition  of  safe  substitutivity,  in 


y  =  x  +  6  ((z.  ^)[y  *]  ^ 
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the  variable  z  has  t,  be  different  from  both  x  and  y;  hence  derive 

y  —  x  +  6  —*■  {z.<f>[y  x]  *-*  z.<l>^), 


which  follows  from  the  induction  hypothesis  by  Q*. 

UPD3  follows  from  UPDl  by  Kq,  Q‘,  and  VAR2  (rename  y  so  that  it  does  not  occur 
in  ^).  UPD4  follows  similarly  from  UPD2. 

CLOCK  is,  in  fact,  derivable  for  any  constant  A  >  0  and  exclusive~or  connectives, 
implying  that  every  state  contains  a  unique  time-difference  formula.  From  NAT: 


a:<l/-»((V  y=a:  +  ^)Vy>i  +  A), 

o<«<n 


infer 


O  y*  ®  —  y  CLOCK 


by  Q",  Kq,  and  LINl.  CLOCK  follows  by  MON  and  REFL.  B 


5.2.3  Completeness 

We  show  that  the  proof  system  for  half-order  K  together  with  the  nonlogical  axioms  TPTL 
is  complete  for  TPTL.  The  organization  of  the  proof  follows  largely  the  completeness  proof 
of  Gabbay,  Pnueli,  Shelah,  and  Stavi  for  the  propositional  case,  PTL,  as  presented  by 
Goldblatt  [46].  We  proceed  in  two  main  steps: 

FUtration  Given  a  consistent  TPTL-formula  4>o,  the  r  ■'onical-model  construction  does 
not  directly  provide  a  timed  state  sequence,  becaus,  is  not  the  transitive  closure 
of  -*Q.  In  order  to  have  the  induction  axiom  LINS  force  -►o  to  be  the  transitive 
closure  of  -*q,  we  have  to  be  able  to  characterize,  by  a  TPTL-formula,  aU  states 
that  are  reachable  from  the  starting  state  by  repeated  traversal  of  -♦o-  Tlu* 
achieved  by  collapsing  the  states  of  the  canonical  model  into  a,  finite  number  ol  finitely 
representable  states  (i-e-,  finite,  consistent  sets  of  formulas).  Our  filtration  process  is 
derived  from  the  tableau-decision  procedure  for  TPTL. 

UnroUing  While  the  structure  M^{4>o)  that  is  obtained  by  filtration  of  the  canonical 
Tpn/^pl  satisfies  the  desired  transitive-closure  property,  it  is  still  not  a  time  I 

5^^te  sequence.  The  problem  is  that  a  state  may  have  multiple  successor  states.  Th.:s, 
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in  a  secoiid  step,  unroll  the  states  of  M^{4>o)  into  a  timed  stsvte  sequence  At^(<^o)‘ 
If  the  unroUing  is  done  carefully,  in  a  way  that  r.  esc  /es  the  truth  of  all  eventualities, 
then  the  resulting  “canonical”  timed  state  sequerce  is,  at  last,  a  model  for 

Let  us  assiimp  that  ^  not  any  contain  timing  assertions  that  compare  a  variable 

with  a  natural  number,  and  that  <po  is  closed.  Abrolute  'vv.it  references  (such  as  x  =  5  or 
X  -f  1  >  3)  and  free  variables  (“parai.neters”)  have  to  be  treated  with  some  care;  we  delay 
their  discussion  until  later.  We  also  assume  that  aL  bound  variables  in  are  distinct;  this 
can  always  be  achieved  by  renaming.  Let 

M(0o)  = 

be  the  canonical  model  for  <^oj  as  constructed  in  the  previous  section.  First,  we  remark  that 
we  may  forget  about  the  actual  values  (timer)  that  are  associated  with  the  states  in 
because  the  formiilas  NezU  keep  track  of  the  time  differences  between  adjacent  states.  In 
any  timed  state  sequence,  we  can  reconstruct  the  times  from  these  time- difference  formulas, 
modulo  the  initial  time. 

Filtration 

Let  A  be  the  number  of  successor  symbols  S  occurring  in  The  key  observation  underlying 

the  filtration  is  that  we  can  restrict  our  attention  to  a  finite  number  of  time-difference 
formulas,  namely  Next^  for  all  0  <  f  <  A  and  Nexiy^,  This  is  because  if  the  time 
difference  between  two  states  is  larger  than  A,  its  actual  value  has  no  bearing  on  the  truth 
of  (po]  thus  every  model  of  can  be  compressed  into  a  model  all  of  whose  time  steps  are 
at  most  A  +  1  (simply  reduce  larger  time  steps  to  A  +  1).  It  follows  that  the  truth  of  any 
TPTL-formula  is  determined  by  the  truth  of  finitely  xxiany  “subformulas.”  The  closure 
CIosttre(^)  of  (f>o  under  subfonnulas  is  defined  essentially  as  in  Chapter  4,  as  the  smallest 
(i.e.,  finite)  set  containing  x.  4>o  for  some  z  ^  4^  that  is  closed  xmder  the  following  operation 
Sub: 


Sub{z.{4>i -*  4>,))  =  {z.(f>ui  <h}, 
Sub(z.  0  0  <  «  <  A  +  1}, 

Svb(z.D^)  =  0°^}i 

Sitb{z.x.^)  =  {z.^[*:=z]}. 
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Let  the  fiuite  filtration  set  T  contain  all  formulas  in  Gosvre((^)  as  well  as  the  timc-difTcrence 
formulas  Next/,  for  0  <  ^  <  A,  and  iVcit>A.  Note  that  the  outermost  symbol  of  every 
formula  in  F  is  a  quantifier. 

For  a,  s'  €  S,  let  a  a'  iff 

anr  =  a' nr, 

and  a^  =  {a'  |  a'  a}.  We  overload  the  symbol  €  by  writing  ^  €  a^  iff  ^  €  a'  for  aU 
a'  a  (observe  that  -vf  i$  an  equivalence  relation).  Let 

be  the  state  structure  that  results  from  the  canonical  model  M(^)  by  ignoring  the  values 
and  identifying  all  states  that  agree  on  F : 

•  s=  {a^  i  a  €  E  and  ao  -*0  *}  (the  reachable  consistent  subsets  of  F), 

•  -*Q  iff  a'  ~*Q  t'  for  some  a'  a  and  some  t' 

•  a^  -*0  iff  a  (-*0)"*  for  some  n  >  0  (the  reflexive  transitive  closure  of 

“*o)> 

•  EpJ^(*^)  ^  p  €  a'  for  all  a'  a. 

Note  that  there  are  only  finitely  many  states  a^,  each  of  which  can  be  uniquely  identified 
by  a  charsicteristic  formula  ^(a)  €  a,  which  is  a  finite  conjunction  of  formulas  and  negated 
formulas  from  F: 

^  A 

♦ern*  ♦er-a 

Let  a^  —*0  iff  for  all  a'  '^f  a,  there  is  some  t'  t  such  that  a'  — t'.  The  following 
lemma  is  proved  similarly  to  the  propositional  case  [46]. 

Lemma  5.12  (Filtration) 

(1)  -»Q  is  serial, 

(2)  a  -*0  t  implies  -*a  t^. 

(3)  -*o  *a  reflexive,  transitive,  and  connected  (i.e.,  a^  -*0  or  -*0  a^). 

is  reflexive,  transitive,  connected,  and  C  -*§. 
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Proof  of  Lemma  5.12  (1)  LINl  ensures  the  functionality  of  -♦q  by  Lemma  5.9;  this 
implies  the  senality  of  -♦q.  We  remark  that  — *q  is,  however,  not  functional. 

(2)  Suppose  that  s  ^3  t.  Let  be  the  finite  disjunction  of  all  characteristic  formulas 

<^>(r)  with  “♦q  r^;  clearly  p  €  r  iff  r^.  Use  the  induction  schema  LIN3  to  show 

that  Dip  £  i,  which  implies  that  ^  €  L 

(3)  Refiexivity  and  transitivity  hold  by  definition.  Lemma  5.9  implies  that  the  relation 
— ►z  is  reflexive  because  of  REFL,  transitive  because  of  TRANS,  and  weakly  connected 
because  of  REFL  and  LINS;  hence  it  is  connected  on  all  staies  reachable  from  sq  by 
The  connectivity  of  follows  by  part  (2). 

(4)  The  refiexivity,  transitivity,  and  connectivity  of  follow  from  the  corresponding 
properties  of  -♦o  (see  part  (3)).  Part  (2)  implies  that  --♦o  Q  ® 

Unrolling 

Lemma  5.12  implies  that  M^{(po)  consists  of  a  finite  sequence  of  strongly  connected 
components,  each  one  of  which  consists  of  a  finite  sequence  of  strongly  connected  — 
components.  We  will  construct  a  temporal  model  for  <j>o  by  unrolling  M^{<f>o)  into  an  infinite 
sequence  of  states.  This  has  to  be  in  a  way  such  that,  whenever  some  state  contains  an 
eventuality  2,  O^,  then  it  is  satisfied  in  a  state  that  is  unrolled  “later.”  The  following  lemma 
guarantees  this  property  for  the  unrolling  that  maintains  the  order  of  strongly  connected 
repeats  all  states  in  the  final  -^Q-component  mfmitely  often. 

Lemma  5.13  (Unrolling)  j45«tme  that  is  equivalent  to  a  formula  in  T.  Lei  s  be 
such  that  7^0  some  t.  If  ^  s,  then  either  ^  ^  s,  or  (p  for  some  t  such  that 

and  7^0 

Proof  of  Lemma  5.13  Let  be  equivalent  to  a  formula  in  F;  then,  for  all  s,t  with 
(^€^iff^€t  and,  by  Ko,  00  €  s  iff  6  The  proof  proceeds  as  in  the 
propositional  case,  using  Lemma  5.12  and  L1N6  [46].  Q 

Lemma  5.13  allows  us  to  unroll  A<^(0o)  ^  described  fashion,  into  an  infinite  se- 
quence  of  states  for  t  >  0,  such  that 


•  (To  =  <0  . 
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•  ffi  -*Q  and 

•  whenever  <T{  ~  s^,  0<p  £  s,  and  is  cqiiivalcnt  to  some  formula  in  F,  then 

di  £  t  for  seine  t  such  that  trj  =  for  some  ;  >  i. 

CLOCK  implies  that  every  state  <Ti  contains  one  of  the  time-difference  formulas.  We  reas¬ 
sign,  in  accordance  with  the  time-difference  formulas,  times  to  aQ  the  states,  thus  obtaining 
the  canonical  timed  state  sequence 

id>o)  — 


where 


•  =  {<Ti  I  i  >  0}, 

•  —*5  is  the  reflexive  transitive  closure  of  -*q, 

•  -h  f  if  Nextf  £  ff;,  and 
i«^.+iF  =  k<F  +  A  +  1  if  Next>i,  €  ei, 

Note  that  |croF  “d  I»F  arbitrary;  they  need  to  be  specified  only  in  case  4>o 

contains  any  absolute  time  references  or  free  variables,  respectively.  The  following  main 
theorem  asserts  that  we  have  indeed  constructed  a  model  of  Tte  proof  depends  crucially 
on  Lemma  4.1  as  well  as  UPD3  and  UPD4,  which  ensure  the  consistency  of  all  timing 
constraints. 

Theorem  5.2  (Canonical  timed  state  sequence)  Let  M^{^)  be  the  canonical  timed 
state  sequence  for  the  formula  4>o  of  TPTL.  Then  ^  €  Oi  iff  A4^(^)ko  "  N  ^  /®^  oU 
s  >  0  and  ^  €  Closnre{^). 

Proof  of  Theorem  5.2  We  apply  induction  on  the  structure  of  for  ^  €  CZo5ttre(^). 

If  ^  is  of  the  form  z.p  for  some  proposition  p,  use  QS.  The  case  that  ^  is  of  the  form 
x.in  =  n,  r.m  <  n,  r.x  +  m  =  r  -fn,  or  r.z-fm  <  z  +  n  follows  from  NAT  and  Q".  The 
propositional  cases  are  established  by  Q*.  If  ^  is  of  the  form  x.x.if>,  use  Lemma  5.7  and 
VAIU. 
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Now  suppose  that  is  of  the  form  z.  Q  rl’  and  =  l(Ti|^  +  S]  that  is,  Nexig  €  « 

if  f  <  A,  EJid  iVcrt>i  €  «  otherwise.  Furthennore,  by  the  definition  of  -►q  there  are  s,i 
such  that  ffi  =  s^,  cr,*j  =  t^,  and  s  -♦q  t.  Then, 

:=  cTj]  1=  z.  0  tf’ 

iff  z-d'^  €  <  by  Lemma  4.1  and  the  induction  hypothesis.  LINl  and  the  canonical-model 
construction  imply  that  z.^*  ?  t  iff  Qz.xlf^  €  z;  and  Qz.ip^  €  z  iff  z.  Q  V*  €  ffj  foDows 
from  UPD3  or  UPD4. 

Finally,  suppose  that  ^  is  of  the  form  z.  Dtp.  Let  Sj  =  \(Zj^  —  for  all  j  >  t.  In  this 
case, 

Ad^(du)((7o  ;=  cTi]  1=  z.  Dxp 

iff  z.  xp^>  €  (Xj  for  all  j  >  t,  by  Lemma  4.1  and  the  induction  hypothesis. 

VVe  show  that  z.  Dtp  €  Vi  implies  z.  Uip^>  6  aj  for  all  j  >  i,  by  induction  on  j;  then 
z,yp^}  €  CTj  by  LIN4  and  Q*.  Assume  that  z.Dxp^i  €  and  Nexts’  €  ffj,  and  show  that 
2.0^*;+^'  g  Cj+i.  By  the  definition  of  —q  there  are  z,t  such  that  Cj  =  s^,  ej+i  =  t^, 
and  z  -*0  t.  From  z.  D%p^>  €  z,  by  LIN4  and  Q*  z.  0  €  z.  Smcc  Nexii>  €  z,  by 

UPD3  or  UPD4  Q^-  €  z;  that  is,  Qz-  6  z.  Hence  z.  Drp‘j*^'  6  t  by  the 

canonical-model  construction. 

Conversely,  asssime  that  z.Otp  6  Ci  and  z.  rp^i  ^  cry  for  all  j  >  i,  and  show  a  contradic¬ 
tion.  First  observe  that,  by  induction  on  j,  it  follows  that  z.Oxp^i  €  ffj  for  all  j  >  s’. 

We  distinguish  two  cases.  If  >  A  for  some  j  >  s’,  then  z.  Oip^  6  ffj  and  z.  rp^  ^  (Tjf 
for  all >  j.  Let  Cj  =  z^.  Since  z  ^  by  Q"  z.  Oi>^  is  equivalent  to  Oz.ip^;  hence, 
by  Lemma  5.13  there  is  some  j'  >  j  with  <r,-i  =  and  z.  rp^  €  t,  contradicting  z.xp^  ^  Vji. 

On  the  other  hand,  suppose  that  there  is  some  j  >  i  such  that  6j>  b  constant  for  all 
j’ t  i;  there  is  some  such  j  >  s’  such  that  ffj  =  z^  and  z^  is  in  the  final  -►^-component 
of  Therefore  Nexto  €  for  all  with  z^  By  part  (2)  of  Lemma  5.12, 

Next-o  €  t  for  all  t  such  that  z  -*o  t]  thus  Di^exto  €  z  by  Theorem  5.1.  By  TSSl, 
z.  Or.x  =  z  6  z,  and  by  TSS2,  z.Oxp^i  is  equivalent  to  Oz.tp^i.  Hence,  by  Lemma  5.13 
there  is  some  j*  >  j  with  z.  again  a  contradiction.  ■ 

This  finishes  the  completeness  proof  for  TPTL.  Ws  conclude  by  indicating  how  absolute 
time  references,  free  variables,  and  until  operators  can  be  incorporated  into  our  argument. 
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A  detailed  formal  treatment  of  these  cases  is  straightforward  and  left  to  the  ambitious 
reader. 

Absolute  time  references 

To  handle  absolute  time  references,  we  include  in  the  filtration  set  T  all  formulas  of  the 
form  i.  z  =  5  for  0  <  5  <  A,  as  well  as  z.  z  >  A.  In  the  definition  of  the  canonical  timed 
state  sequence  let  |croI  —  6  il  z.  z  =  6  &  Co,  and  |(ro|  =  A  +  1  if  z.  z  >  A  €  Co-  The 

additional  base  cases  in  the  proof  of  the  main  theorem  can  be  shown  by  induction  on  the 
canonical  state  sequence. 

Free  variables 

If  ifiQ  contains  firee  variables,  then  it  is  no  longer  the  case  that  every  model  can  be  compressed 
into  a  model  aU  of  whose  time  steps  are  at  most  A  +  1.  However,  it  is  not  hard  to  see  that, 
if  <l>o  contains  N  free  variables,  then  <h  is  satisfiable  iff  it  is  satisfiable  by  a  timed  state 
sequence  all  of  whose  time  steps  are  at  most  A*  =  +  I)(A  + 1).  This  is  because,  in  any 

interpretation,  the  difference  between  any  two  times  that  are  either  associated  with  a  state 
or  a  free  variable,  can  be  reduced  to  A  +  1  without  changing  the  truth  of  4>o. 

Thus  the  completeness  proof  goes  through  if  we  take  the  filtration  set  F  large  enough 
(replace  A  by  A^),  and  include  aU  formulas  of  the  form  z.z  =  z  +  6  and  *  =  y  +  ^»  for 
0  <  ^  <  A',  as  weU  as  z.  z  >  x  +  A'  and  x  >  y  +  A',  for  aU  free  variables  x,y  €  ^  (recaU 
that  z  ^  <j>o)-  For  this  purpose,  it  is  necessary  to  redefine  the  the  time-update  function  z.^* 
for  TPTL-formulas  with  free  variables;  for  instance,  let  z.  (z  <  x)*  be  the  formula 

z.(z  <  X  V  z  s=  x). 

The  axiom  PRO  ensures  that  the  variable  assignment  function  of  the  canonical  timed  state 
sequence  can  be  defined  properly.  If  the  progress  condition  on  timed  state  sequences  is 
dropped,  we  can  obtain  a  complete  proof  system  by  replacing  the  nonlogical  axiom  PRO 
with  the  weaker  version 

PRO'  □x.Oy.y>x  -»  Oz.x>z. 

We  point  out  that  the  canonical-model  construction  for  TPTL-formulas  with  free  vari¬ 
ables  leads  to  a  tableau-based  decision  procedure  for  TPTL  with  free  variables,  whose 
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validity  problem  is,  therefore,  no  harder  than  determining  the  validity  of  closed  TPTL- 
formnlas. 

Until  operators 

Also  the  addition  of  the  temporal  until  operator  U  yields  no  stirpriscs.  The  syntax  of 
TPTL  can  be  extended  to  admit  formulas  of  the  form  such  that  for  any  timed  state 

sequence  M: 

Ad  f=  ^  iff  M[ito  :=  ffi]  \=  <f>2  for  some  i  >  0,  and  M[ffo  :=  Vj]  ^  for  all  0  <  y  <  i. 

By  adding,  to  TPTL,  the  two  axiom  schemata 

UNTILl  (i>^U<h  ^  <><h, 

UNTIL2  ^U<1>2  *■*  V  A  0(^1  ^^)))> 

which  characterize  the  until  operator  completely  in  PTL  [40],  we  obtain  a  complete  proof 
system  for  TPTL.  From  an  generalization  of  Theorem  5.2  to  absolute  time  references  and 
until  operators  it  follows  that 

Corollary  5.2  (Completeness  of  TPTL)  A  formula  ^  of  TPTL  is  valid  if  and  only  if 
TPTL  I-  4>. 

5.2.4  Nonaxiomatizable  extensions 

We  show  that  half-order  temporal  lope  in  general  is,  unlike  TPTL,  not  (recursively)  axiom- 
atizable  and,  therefore,  highly  undecidable.  From  TPTL  we  obtain  TPTL*  by  restraining 
time  to  provide  a  state  counter  that  starts,  in  the  initial  state,  at  0,  and  by  adding  the  unary 
function  symbol  2-  that  is  interpreted,  on  N,  as  multiplication  by  2.  With  Theorem  3.8,  we 
have  proved  the  validity  problem  for  TPTL*-formulas  to  be  II]-hard,  which  implies  that 
there  is  no  complete  proof  system  for  this  logic,  as  well  as  for  TPTL  with  addition.  Here 
we  show  that  if  half-order  temporal  logic  were  axiomatizable,  for  any  choice  of  function  and 
relation  symbols,  then  so  would  be  TPTL*.  It  follows  that  temporal  interpretations  cannot 
be  completely  characterized  in  half-order  modal  logic. 

Let  ^*  denote  the  conjunction  of  the  following  formulas  of  TPTL*: 
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COUNTl 

Z.X  =  0, 

COUNT2 

0*-  Oy-y  =  Sx, 

SUCCl 

Dz.Sz  ^  0, 

SUCC2 

□a.  Dj/.  (5*  =  Sy  -♦  *  =  y) 

LESSl 

Oz.x  it  z, 

LESS2 

Ox.  OOj/.(z  <  p  A  p  ft  x). 

DOUBl 

2-0  =  0, 

DOUB2 

□i.(2-5x  =  55(2-x)). 

Recall  that  a  temporal  interpretation  for  half-order  modal  logic  is  one  in  which  the  set 
of  states  together  with  the  two  accessibility  relations  — *o  aod  -»o  is  isomorphic  to  the 
structure  (N,-fl,  <);  the  set  of  values  as  well  as  the  interpretation  of  all  function  and  relation 
symbob  is  left  arbitrary.  The  following  proposition  states  that  viewed  as  a  formula 
of  half-order  modal  logic  with  uninterpreted  function  and  relation  symbob,  completely 
characterizes  multiplication  by  2  in  temporal  interpretations. 


Proposition  5.2  (Half-order  tempored  logic)  A  closed  formula  of  TPTL^  is  valid 
iff  the  formula  -*  ip  of  half-order  modal  logic  is  true  under  all  temporal  interpretations. 


Proof  of  Proposition  5.2  It  is  not  hard  to  see  that  the  closed  formula  (P^  of  half-order 
modal  logic  is  true  under  a  temporal  interpretation 

M  :  oo  -»o  “^o  “*0  *  ■  * 

iff  the  set  of  values  of  M  contains  N  (modulo  isomorphism),  |<r,|  =  t  for  aU  t  >  0,  and  the 
function  and  relation  symbob  0, 5,  <,  and  2-  are,  on  N,  interpreted  as  the  zero  smd  successor 
functions,  the  ordering  relation,  and  multiplication  by  2,  respectively.  The  proposition 
follows.  ■ 

Since  TPTL’  is  Ilj-hard,  so  is  the  restriction  of  half-order  modal  logic  to  temporal 
interpretations.  We  have,  in  fact,  shown  that  any  extension  of  TPTL  with  a  single  unin¬ 
terpreted  unary  function  symbol  is  nj-hard,  because  thu  function  symbol  can  be  forced, 
by  to  be  interpreted  as  multiplication  by  2  on  the  natural  numbers. 
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5.3  Proving  Timed  Transition  Systems  Correct 

We  present  two  methods  for  the  deductive  verification  of  timed  transition  systems  (the 
terminology  exogenotas  versus  endogenous  is  taken  from  Pnueli  [106]): 


Exogenous  Just  as  transition  systems  can  be  explicitly  encoded  by  temporal  formulas,  we 
have  seen  that  timed  transition  systems  can  be  encoded  in  TPTL  or  MTL.  Any  proof 
system  for  these  logics  can,  therefore,  be  used  to  derive  properties  of  a  timed  transition 
system,  to  prove  the  equivalence  of  two  timed  transition  systems,  or  to  prove  that  one 
timed  transition  system  refines  another  timed  transition  system.  In  the  untimed 
case,  the  possibility  of  encoding  systems  by  temporal  formulas  and  proving  temporal 
implications  was  seen  by  Pnueli  [107]  and  has  more  recently  been  strongly  advocated 
by  Lamport  [79]. 


Endogenous  If  we  wish  to  prove  properties  of  a  given  timed  transition  system  S  only,  we 
may,  instead  of  presenting  the  system  as  a  temporal  formula,  add  proof  rules  to  our 
proof  system  that  need  not  be  unconditionally  sound,  but  only  sound  for  reasoning 
about  the  runs  of  5.  In  the  untimed  temporal  framework,  this  approach  of  reasoning 
about  a  single  hidden  program  was  first  advocated  by  Pnueli  [106]  and  has  been 
greatly  refined  by  many  researchers  (see,  for  example,  [91,  105],  and  compare  the 
related  framework  of  UNITY  [26]). 


Indeed,  as  Pnueli  points  out,  both  methods  have  had  a  long  tradition  in  program  verification 
before  the  advent  of  temporal  logic  [106].  While  the  exogenous  approach  is,  by  staying  fully 
within  logic,  both  more  uniform  and  more  general,  Pnueli  has  argued  that  the  endogenous 
approach,  when  applicable,  is  preferable  for  any  specific  verification  task,  because  it  equips 
the  verifi^  with  the  strongest  possible  tools  for  a  particular  class  of  verification  problems. 
In  the  case  of  real-time  reasoning,  we  have  already  provided  the  foundation  for  an  exoge¬ 
nous  verification  method;  it  will  be  discussed  in  the  following  subsection.  Thereafter,  an 
endogenous  method  for  real-time  verification  will  be  motivated  and  fully  developed  in  the 
next  chapter. 
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5.3.1  Reasoning  about  explicit  programs 

Suppose  we  axe  given  a  finite-state  timed  transition  system  5 .  We  can  use  the  proof  system 
for  TPTL  to  show  that  all  nms  of  S  meet  the  TPTL-spedflcation  i/)  in  two  steps: 

1.  Write  the  logical  representation  ips  of  5,  as  defined  in  Subsection  4.3.3.  Then 

n(^5)  =  i?c«(n(5)); 

that  is,  the  runs  of  the  system  5  are  exactly  the  models  of  the  TPTL-formula  ^5. 

2.  Prove  that  the  TPTL-formula  ^5  -♦  V'  is  valid. 

Even  if  the  timed  transition  system  5  has  an  infinite  number  of  states,  this  approach  is,  in 
principle,  possible,  provided  we  complement  the  proof  system  for  TPTL  with  capabilities 
to  reason  about  the  infinitary  data  domains  of  S.  Thus,  a  proof  system  for  exogenous 
real-time  verification  can  be  partitioned  into  two  parts: 

General  part  Axioms  and  proof  rules  to  establish  the  validity  of  TPTL- formulas.  This 
part  provides  the  tools  for  domain- independent  reasoning. 

Domain  part  Axioms  and  proof  rules  to  reason  about  the  underlying  data  domains  of  a 
system.  This  part  generally  consists  of  first-order  theories  of  data  types. 

By  giving  a  complete  proof  system  for  TPTL,  we  have  presented  a  general  part.  However, 
while  our  proof  system  is  of  theoretical  interest,  its  derivations  are  on  a  level  that  is  much 
too  low  to  be  practical.  This  point  wiU  be  iflustrated  in  the  following  segment.  Thus, 
to  make  real-time  verification  feasible  for  systems  that  lie  outside  the  scope  of  decision 
procedures,  the  proof  system  for  TPTL  has  to  be  extended  by  useful  derivable  metarules. 

Deriving  new  proof  rules 

A  typical  step  in  a  the  deduction  of  a  bounded-response  property  requires  the  chaining  of 
more  local  bounded-response  properties.  Hence  the  following  inference  rule  turns  out  to  be 
very  practical: 

from  D*.(^  — *  Oy.(^  A  y  <  z  +  m)) 

and  Oz.(^2  ^y-(^  A  y  <  z -f  n)) 

infer  Oz.(^  — »  Oy.(^  A  y  <  z -b  m  + n)) 


O-TJLANS 
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for  all  constants  m,n  >  0,  provided  that  neither  z  nor  y  occurs  free  in  any  of  <f>2,  and  ^3. 
Since  O-TRANS  is  sound  over  all  timed  state  sequences,  by  our  completeness  result  it  must 
be  derivable  within  the  given  proof  system  for  TPTL.  However,  this  derivation,  which  we 
are  going  to  sketch  briefly,  is  extremely  tedious;  it  vividly  demonstrates  the  need  of  practical 
high-level  inference  rules  for  real-time  verification. 

So  let  us  derive  O-TRANS.  In  fact,  we  show  the  stronger  assertion  that  the  two  an¬ 
tecedents  of  O-TRANS  imply  the  consequent: 

a*.(^  -*  Oy.  ((j^  A  y  <  a; -f  m))  -* 

Oy.  A  y  <  I -I- n))  -♦ 

Ot.(^  -*  Oy.  (d>3  A  y  <  I -I- m -f  n)) 

is  valid.  By  Ko,  TRA.NS,  Q*,  and  VAR2,  it  suffices  to  derive 

*•  A  y.y  <  z  -r  m)  -» 

□(^  -♦  y-0{<h  A  z.r  <  y  +  n))  -» 
z.  0(^  A  z.  z  <  z  -f  m  n), 

which  can  be  rewritten  (use  Ko)  as 

0(y.  □(z.z  <  y -f  n  -*  -«^)  -♦  -<(j>2)  -* 
z.D{2,z<z  +  m  +  n  -*  -«h) 
z.D{y.y  <  z  +  m  -»  1^). 

By  Q",  Ko,  and  TRANS  show 

□(y.  □(z.z  <  y-fn  -♦  -1^)  -♦  1^2) 

□y.  □(z.z  <  z -{- m  +  n  -♦  -1^3)  — > 

□(y.  y  <z  +  m  -*  -i^). 

Applying  Ko  and  Q*  i^ain,  it  suffices  to  derive 

□(z.z  <  z -I- m -b n  — ♦  — »  y<z-|-fn  — ♦  □(z. z<y-bn  — ♦ 

By  RIGIq,  RIG7,  K*,  and  Q",  show 

y<r-btn  -♦  z<y-fn  -»  z<z-bm-bn, 

which  follows  from  NAT. 
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5.3.2  Rea.coning  about  one  implicit  program 

Suppose  we  wish  to  verify  a  particular  timed  transition  system  S .  The  endogenous  approach 
to  verification  allows  us  not  only  to  extend  the  repertoire  of  available  proof  rules  by  useful 
derivable  rules  such  as  0-TRANS,  but  to  complement  a  general  proof  system  for  TPTL 
with  tools  that  are  soimd  for  reasoning  about  the  given  system  5  only.  Thus,  an  endogenous 
proof  system  contains  three  components  [88]: 

General  part  As  before,  this  part  consists  of  a  complete  proof  system  for  TPTL  and 
derived  theorems  and  metarules  of  TPTL;  it  provides  the  tools  for  system  and  domain* 
independent  reasoning. 

Program  part  This  part  consists  of  axioms  and  proof  rules  that  restrict  the  models  under 
consideration  to  the  execution  sequences  (runs)  of  a  particular  system  (program);  it 
exploits  the  structure  of  the  given  timed  transition  system  S  to  provide  powerful  tools 
for  reasoning  about  5. 

Domain  part  As  before. 

To  offer  strong  and  practical  proof  rules,  the  program  part  is,  ideally,  designed  in  accordance 
with  proof  methodologies  for  different  classes  of  real-time  properties  (see,  for  example,  [91] 
for  the  untimsd  case).  In  the  following  chapter,  we  will  present  two  alternative  program 
parts,  which  correspond  to  two  different  proof  methodologies,  for  the  derivation  of  bounded- 
invariance  and  bounded-response  properties  of  timed  transition  systems. 
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Chapter  6 


Deductive  Verification: 
Program  Part 


We  present  high-level  proof  rules  for  verifying  that  all  runs  of  a  timed  transition  system 
satisfy  a  bounded-invariance  property  or  a  bounded- response  property.  In  fact,  we  discuss 
two  alternative  proof  methodologies  that  are  quite  different  in  flavor; 

Explicit'clock  reasoning  The  explicit-clock  style  of  establishing  real-time  properties  ac¬ 
cesses  absolute  time  explicitly  as  a  state  parameter.  The  proofs  in  this  style  rely  on 
global  invariants  and  have  the  flavor  of  untimed  safety  arguments. 

Bounded-operator  reasoning  The  hidden-clock  style  of  establishing  real-time  properties 
refers  to  time  implicitly  only,  through  the  relative  offsets  of  time-bounded  temporal 
operators.  The  proofs  in  this  style  proceed  by  incrementally  combining  local  timing 
properties  and  resenible  untimed  liveness  arguments. 

Consider,  for  exanqile,  the  bounded-response  property  11^  that  is  defined  by  the  MTL- 
formula 

□(p  -♦  0<s5),  (^3) 

which  states  that  “every  p-state  is  followed  by  a  j-state  within  3  time  units.”  We  have 
shown,  in  Subsection  1.2.3,  that  this  property  is  a  (real-time)  safety  property.  Indeed,  even 
though  it  has  been  expressed  by  a  “liveness-like”  formula  (employing  a  bounded  version  of 
the  liveness  operator  O),  the  bounded-response  property  II3  can,  alternatively,  be  defined  by 
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a  temporal  formula  that  uses  the  untimcd  safety  operator  U  [unless)  and  a  clock  variable  t 
that  refers,  in  any  state,  to  the  current  time: 

D{[p  At  =  j)  {t<r  +  3)U(5At<r4.  3)). 

This  formula  states  that  if  p  happens  at  time  2,  then  from  this  point  on,  the  time  will  not 
exceed  2  4-3  either  forever  (which  is  ruled  out  by  the  requirement  on  timed  state  sequences 
that  time  progresses  eventually)  or  until  q  happens.  It  follows  that  g  must  occur  within  3 
time  units  from  p.  Consequently,  no  new  proof  rules  are  necessary  for  the  explicit- dock  style 
of  real-time  verification:  if  the  system  states  are  augmented  by  a  clock  variable,  real-time 
properties  can,  in  prindple,  be  verified  using  a  standard,  uniform  set  of  untimed  rules.  This 
approach  of  proving  timing  properties  has  been  advocated,  among  others,  by  Lamport  [79]. 

On  the  other  hand,  when  using  the  time-bounded  temporal  operators  of  MTL  for  the 
specification  of  real-time  properties,  one  discerns  a  clear  dichotomy  between  the  definition 
of  upper-^bound  properties,  such  as  the  bounded-response  formula 

D(p  -  0<3S) 

considered  above,  and  lower-bound  properties,  such  as  the  boxmded-in variance  formula 

D(P  -  n<3-'g),  (^?) 

which  states  that  “no  p-state  is  followed  by  a  g-state  within  less  than  3  time  units.”  While 
upper-boimd  properties  assert  that  something  good  will  happen  within  a  specified  amount 
of  time,  lower-bound  properties  assert  that  nothing  bad  will  happen  for  a  certain  amount 
of  time.  Clearly,  the  MTL-specification  of  upper-bound  properties  bears  a  dose  resem¬ 
blance  to  the  temporal  definition  of  the  liveness  properties  of  untimed  response,  and  the 
MTL-specification  of  lower-bound  properties  dosdy  resembles  the  temporal  definition  of 
the  safety  properties  of  untimed  invariance.  The  second  proof  system  wc  present  cultivates 
this  similarity  by  introducing  separate  proof  principles  for  the  dasses  of  lower-bound  (i.e., 
bounded-invuxiance)  and  upper-bound  (i.c.,  bounded-response)  properties.  These  proof 
prindples,  which  often  follow  intuitive  correctness  arguments  for  timing  properties  more 
dosely  than  the  use  of  an  explidt  dock  variable,  can  easily  be  seen  to  be  natural  extensions 
of  the  proof  rules  for  the  untimed  invariance  and  response  classes,  rcspectivdy  [90]. 
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6.1  Properties  of  Timed  Transition  Systems 

Throughout  this  chapter,  we  prove  properties  of  a  given  fixed  timed  transition  system 
5  =  {E,Q,T,t,u).  We  assume  that  5  is  associated  with  a  concrete  real-time  system  P 
that  belongs  to  one  of  the  classes  we  have  discussed  in  Chapter  2;  the  modeled  system  P 
may,  for  example,  be  a  multiprocessing  or  a  multiprogramming  system,  a  shared- variables 
or  a  message-passing  system.  It  follows  that  S  is  defined  by  a  set  of  timed  transition 
diagrams,  one  for  every  component  process  of  P,  and  that  the  set  S  of  states  consists  of 
all  interpretations  of  a  finite  set  V  of  data  and  control  variables  that  range  over  finite  or 
infinite  domains.  Throughout  this  chapter,  we  use  the  following  assumptions  about  y; 

1.  We  assume  that,  in  addition  to  data  and  control  variables,  V  contains  sufSciently 
many  avxiliary  variables  that  range  over  the  natural  ntimbers  N  and  are  not  changed 
by  any  of  the  transitions  of  5.  W’'e  will  on  occasion  need  a  “new,  rigid”  variable, 
and  for  th^  purpose  we  employ  one  of  the  auxiliary  variable  that  have  not  been  used 
previously. 

2.  W*e  assume  that,  for  every  variable  x  €  V,  there  is  a  corresponding  unique  primed 
variable  x'  that  ranges  over  the  same  domain  as  x. 

6.1.1  State  properties 

We  are  given  an  assertion  language  —  a  first-order  language  with  equality  that  contains 
interpreted  function  and  predicate  symbok  to  express  operations  and  relations  on  the  do¬ 
mains  of  the  variables  in  V.  A  state  formula  is  a  first-order  formula  p  of  the  assertion 
language  such  that  only  variables  from  V  occur  freely  in  p.  Thus,  every  state  in  T  provides 
an  interpretation  for  the  state  formulas.  If  the  state  formula  p  is  true  in  state  we  say 
that  0'  is  a  p-state.  We  use  the  following  abbreviations  for  state  formulas: 

•  For  any  transition  t  €  T,  the  enabling  condition  enahled{j)  asserts  that  r  is  enabled. 
In  particular,  enabled{ri)  abbreviates  true  for  the  idle  transition  rj. 

•  For  any  transition  t  ^  T  and  state  formulas  p  and  q,  the  verification  condition 
{p}T{g}  asserts  that  if  p  is  true  of  a  state  <r  €  S,  then  q  is  true  of  all  r-successors 
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of  r.  In  particular,  {p}  r/  {^}  stands  for  the  univcrsaJ  closure  of  the  formula  p  — *  g. 
For  any  set  T  C  T  of  transitions,  we  write  {p}  T  {g}  for  the  conjunction 

A  W’-fj) 

rer 

of  all  individual  verification  conditions. 

•  For  any  transition  r  and  state  formulas  p  and  the  tnrerse  verification  condition 
{pIt”*  {g}  asserts  that  if  p  is  true  of  a  state  6  £,  then  q  is  true  of  all  r-predecessors 
of  cr.  Observe  that  all  inverse  verification  conditions  are  definable  by  ordinary  verifi¬ 
cation  conditions: 


{p}t“  {g}  is  equivalent  to  {-^p}. 

In  particular,  {p}t^  {g}  is  equivalent  to  {p}T/{g}  for  the  idle  transition  r/.  For 
any  set  T  C  T  of  transitions,  we  write  {p}  T*  {g}  for  the  conjunction  of  the  inverse 
verification  conditions  for  all  transitions  in  T. 

Note  that  while  the  truth  value  of  an  enabling  condition  depends  on  the  state  in  which  it  is 
interpreted,  the  verification  conditions  are  state-independent  and,  thus,  equivalent  to  closed 
formulas. 

In  the  case  that  the  timed  transition  system  S  is  associated  with  a  shared-variables 
multiprocessing  system  P,  it  is  not  hard  to  see  that  the  enabling  and  verification  conditions 
of  aU  trazisitions  can  indeed  be  expressed  by  state  formulas.  Suppose  that  P  consists  of  the 
m  processes  Pt,  for  1  <  t  <  m,  and  the  data  precondition  which  is  a  state  formula: 


{e}[Pi\\...\\Pm]. 

Let  us  assume  that  each  process  1  <  t  <  m,  is  given  by  a  timed  transition  diagram  with 
the  locations  {4»  -  •  and  the  entry  location  /(,.  We  write  *■»  = 

for  =  /y,  that  is,  the  control  of  the  process  Pi  is  at  the  location  /j.  We  abbreviate  any 
disjunction  at  V  further,  to 

1.  For  each  entry  transition  e  TofSp,  the  enabling  condition  enabted(to)  ^  c<iuivalent 
to  the  state  formula 

eiJi, 
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and  the  verification  condition  {p}To{g}  is  eqiiivalent  to  the  universal  closure  of  the 
formula 

(p  A  enaWcd(To)  A  (aiJ^)'  A  /\  (l/'  =  v))  “♦ 

VSV-{»<} 

■where  the  formula  g'  is  obtained  from  g  by  replacing  every  variable  with  its  primed 
version;  for  example,  stands  for  The  inverse  verification  condition 

{?}  (■^o)"  {?}  equivalent  to  the  universal  closure  of 

(p'  A  €nabled{rl)  A  (af-fo)^  ^  /\  iv'  =  v))  “*  ?• 

v€V-{».} 

2.  All  other  nonidle  transitions  of  Sp  correspond  to  edges  in  the  timed  transition  dia¬ 
grams  for  the  processes  Pi.  Let  €  T  be  such  a  transition  and  assume  that  the 
corresponding  edge  that  connects  the  location  ^  to  the  location  and  is  labeled  by 
the  instruction  c  -*  x  :=  e.  Then,  the  enabling  condition  enaWed(Tf_^)  is  equivalent 
to 

atJj  A  c, 

and  the  verification  condition  {p}  {g}  is  equivalent  to  the  universal  closure  of  the 

formula 

(p  A  tnahled{r'j_f^)  A  A  (i'  =  e)  A  f\  {y'  =  y))  -*  g'. 

The  inverse  verification  condition  {p}  {g}  is  equivalent  to  the  universal  clos'ure 

of 

(p'  A  enoWed(Tj_t)  A  A  (*'  =  e)  A  /\  {y*  —  y))  -♦  g. 

It  is  also  straightforward  to  express  the  enabling  and  verification  conditions  as  state  for¬ 
mulas,  if  the  timed  transition  system  5  is  associated  ■with  any  of  the  other  concrete  real-time 
systems  that  we  have  introduced  in  Chapter  2,  such  as  message-passing,  multiprogramming, 
d3mamic,  and  priority  systems. 


Synchronous  multiprocessing  systems 

Our  will  be  drawn  from  timed  transition  systems  S  that  are  associated  with 

multiprocessing  systems  P  of  the  form 


CHAPTER  6,  DEDUCTIVE  VERIFICATION:  PROGRAM  PART 


all  of  whose  component  processes  start  synchronously  (i.e.,  at  the  exact  same  time).  We  call 
such  a  system  synchronous  and  model  it  by  a  single  entry  transition  that  sets  all  control 
\^iables,  simultaneously,  to  the  entry  locations  of  the  individual  processes.  For  multipro¬ 
cessing  systems  P,  it  is  convenient  to  define  the  following  two  additional  abbreviations  for 
state  formulas: 

•  The  ready  condition  ready  holds  precisely  in  the  initial  states  0  of  Sp;  it  indicates 
that  none  of  the  processes  of  P  has  started  yet.  Consequently,  the  ready  condition 
ready  of  Sp  stands  for  the  state  formula 

p  A  (  A 

l<i<m 

•  The  synchronous  starting  condition  start  indicates  that  all  processes  of  P  have  entered 
their  entry  locations,  but  none  has  proceeded  any  farther;  that  is,  start  abbreviates 
the  state  formula 

0  A  (  A  “<4). 

l<i<m 

Note  that  if  P  is  synchronous,  then  the  two  verification  conditions 

{ready}  T  -tj  {start}, 

{start}  (T  —  T/)“  {ready} 
are  valid  (by  T  —  t  we  denote  the  set  difference  T  —  {t}). 

6.1.2  Temporal  properties 

Temporal  formvlas  are  constructed  from  state  formulas  by  boolean  connectives  and  time* 
bornded  temporal  operators.  They  are  interpreted  over  timed  state  sequences  whose  states 
are  drawn  from  £  and  whose  times  axe  natural  numbers.  In  this  chapter,  we  are  interested  in 
proving  two  classes  of  real-time  properties  of  timed  transition  systems  —  bounded-invariance 
properties  and  bounded-response  properties.  Thus  we  restrict  ourselves,  semantically,  to 
the  digital-cloclc  model,  which  was  justified  in  Subsection  3.12,  and,  syntactically,  to  the 
following  fragment  of  MTL: 

•  Every  state  formula  is  a  temporal  formula. 
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•  Every  boolean  combination  of  temporal  formulas  is  a  temporal  formula. 

•  If  p  is  a  state  formula,  <p  a  temporal  formula,  and  /  €  then  pU>f  ^  is  a  temporal 
formiila;  recall  that  it  is  true  over  the  timed  state  sequence  p  =  (<r,T)  iff  either  all  ffi, 
for  i  >  0,  are  p- states,  or  there  is  some  position  s  >  0  such  that  T,-  >  To  +  ^  is 
true  over  the  t-th  suiBx  p*  of  p,  and  all  Cj,  for  0  <  j  <  i,  are  p-states.  We  use  the 
abbreviations  pU^,  D<jp,  and  pU^,^  for  the  temporal  formulas  pU>o^,  pU>i  true, 
and  p  A  (p  U>j  <j>),  respectively. 

•  If  ^  is  a  temporal  formula  and  u  e  N,  then  0<„  ^  is  a  temporal  formula;  recall  that  it 
is  true  over  the  timed  state  sequence  p  =  (ff,  T)  iff  there  is  some  position  *  >  0  such 
that  Tj  <  To  +  u  and  <j>  is  true  over  the  t-th  sufEi  p‘  of  p. 

Prom  now  on,  we  use  the  convention  that  the  letters  p,  j,  r  as  well  as  <p  (and  primed 
versions)  denote  state  formulas,  while  the  letters  and  x  stand  for  arbitrary  temporal 
formulas. 

5-validity  and  5-soundness 

The  following  definitions  and  comments  apply  equally  to  timed  an'-  untimed  transition 
systems  as  well  as  to  all  formulas  that  are  interpreted  over  timed  stat'.  sequences  and  state 
sequences,  respectively.  Recall  that  the  run  fragments  of  a  (timed)  transition  system  are 
obtained  by  closing  its  runs  under  suffixes.  We  say  that  a  formula  ^  *8  S-valid  iff  it  is  true 
over  all  nm  fragments  of  the  (timed)  transition  system  5.  While  (general)  validity  —  truth 
over  all  (timed)  state  sequences  —  implies  5-validity  for  every  system  5,  the  converse  does 
not  necessarily  hold.  In  fact,  even  a  state  formula  p  that  is  5- valid  may  not  be  true  in  some 
states  of  5  that  do  not  occur  along  any  run  of  5  and,  hence,  p  may  not  be  generally  valid. 

D'  a  formula  ^  is  5- valid,  then  it  is,  by  definition,  satisfied  by  all  runs  of  5.  Thus,  to 
show  that  the  given  system  5  meets  the  specification  it  suffices  to  show  that  ^  is  5-valid. 
This  observation  has  two  important  ramifications: 

1.  Since  the  set  of  run  fragments  of  5  is  closed  xmder  suffixes,  a  formula  ^  is  5-valid  iff  the 
invariance  is  5-valid.  Therefore,  as  we  are  concerned  with  5-validity  only  in  this 
chapter,  we  may  omit  all  outermost  unbounded  al-ways  operators  frum  spedfications. 
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2.  A  proof  niJe  is  called  S-sound  iff  the  5-validity  of  all  premises  implies  the  5- validity 
of  the  conclusion.  Clearly,  a  generally  soimd  rule  may  not  be  S-soxind,  and  vice  versa. 
Therefore,  for  verifS’ing  properties  of  the  given  system  5  by  proving  5-validity,  we 
restrict  ourselves  to  5-so\md  proof  rules. 

We  shall  build  extensively  on  both  remarks  throughout  this  chapter,  and  begin  by  discussing 
some  immediate  applications  of  5- validity  and  5-soundness  in  the  following  two  segments. 

Bounded  invariance  and  bounded  response 

First,  we  point  out  that  the  bounded^unless  and  bounded-eventually  operators  of  the  frag¬ 
ment  of  MTL  that  we  have  chosen  for  this  chapter  suffice  to  define  both  bounded-invariance 
bounded-response  properties  of  the  given  timed  transition  system  5. 

Bounded  invariance  The  bounded^invariance  formula 

p  D<iq 

is  5- valid  iff  for  every  run  (<r,T)  of  5  and  all  i  >  0  and  j  >  i, 

if  is  a  j>-state  and  T^*  <  T,*  +  /, 
then  (Tj  is  a  g-state; 

that  is,  no  p-state  is  followed  by  a  -^g-state  within  time  less  than  L  A  t3rpical  ap¬ 
plication  of  bounded  invariance  is  to  state  a  lower  bound  I  on  the  termination  of  a 
multiprocessing  system  5  with  the  termination  condition  r:  the  temporal  formula 

ready 

asserts  that,  if  not  started  before  time  t,  then  5  will  not  reach  a  final  state  before 
time 

Bounded  response  The  bounded-response  formula 

p  o<ug 

is  5-valid  iff  for  ever  run  (^,T)  of  5  and  all  i  >  0, 
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if  (7i  is  a  p-state, 

then  there  is  some  g-state  Cj,  with  j  >  i,  such  that  Tj  <  T,-  +  u; 

that  is,  every  p-state  is  followed  by  a  g-state  within  time  u.  A  typical  application  of 
bounded  response  is  to  state  an  upper  bound  u  on  the  termination  of  a  multiprocessing 
system  S  with  the  termination  condition  t:  the  temporal  formula 

stort  -♦  0<ur 

asserts  that  if  all  component  processes  of  S  are  started  synchronously  at  time  t,  then 
5  is  guaranteed  to  reach  a  final  state  no  later  than  at  time  t  +  u.  As  the  runs  of  timed 
transition  systems  are  closed  under  shifting  the  origin  of  time,  we  shall,  without  loss 
of  generality,  henceforth  assume  that  t  =  0. 

Monotonicity  rules 

Secondly,  we  introduce  two  important  proof  rules  that  are  5*soimd  for  every  timed  transition 
system  S.  The  monotonicity  rule  U-MON  allows  us  to  weaken  any  of  the  three  arguments 
of  the  bounded-unless  operator: 


U-MON  p  ->  p>  (f>  t’<  I 

(pU>,^)  (p'U>r^') 


A  monotonicity  rule  holds  for  the  bounded-eventually  operator: 


O-MON  il>  4>’ 

(0<«^)  -*  {o<u'4>*) 

It  is  not  hard  to  see  that  both  monotonicity  rules  are  generally  sound  as  well  as  5*sound 
for  every  timed  transition  system  5.  Since  propositional  reasoning,  too,  is  5-sound  for 
every  system  5,  we  will  refer  to  applications  of  the  two  weakening  rules  and  propositional 
reasoning  in  derivations  through  the  simple  annotation  ‘^y  monotonicity.”  For  example, 
from  the  bovTided-vTiless  formula 


P 


(rU>jr, 
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we  can  establish,  by  monotonicity,  both  the  boundcd-invaxiance  formula 

P  -  D</9 

and  the  unbounded  unless  formula 

p  jUr. 

Note  that  every  unless  formula  can  be  read  as  an  untimed  formula  of  PTL  and  interpreted 
ever  state  sequences;  that  is,  it  defines  an  untimed  safety  property. 

6.2  Explicit-clock  Reasoning 

We  point  out  that  none  of  our  state  formulas  is  able  to  refer  to  the  value  of  the  time,  and 
the  only  references  to  time  that  are  admitted  in  temporal  formulas  are  bounds  on  temporal 
operators.  In  this  section,  we  investigate  the  consequences  of  extending  the  notion  of  state, 
by  adding  a  state  variable  t  that  represents,  in  every  state,  the  current  time.  This  extension 
is  interesting,  because  once  we  are  given  explicit  access  to  the  absolute  time  through  the 
clock  variable  t,  both  bounded-invariance  and  bounded-response  formulas  can,  equivalently, 
be  written  as  unbounded  unless  formulas  and,  consequently,  be  verified  by  conventional 
untimed  techniques  for  establishing  safety  properties  of  transition  systezns. 

6.2.1  Explicit^clock  temporal  logic 

For  the  given  timed  transition  system  S  and  a  bounded-invariance  or  bounded-response 
formula  we  formalize  the  explicit-clock  approach  by 

1.  Translating  the  timed  transition  system  5  into  the  untimed  ezpliciUclock  tmnsiiion 
system  5*,  which  has  been  defined  in  Subsection  2.1.2.  Note  that  if  the  states  of  5 
are  all  interpretations  of  the  set  V  of  variables,  then  the  states  of  S*  assign  values  to 
aU  variables  in  the  set 

=  Vu{t}u{d.lT€T}, 

which  is  augmented  by  the  clock  variable  and  a  delay  counter  for  each  transition  of  5. 

2.  Translating  the  specification  ^  over  V  into  an  untimed  unless  formula  0'  over  V*  such 
that  the  explicit-clock  formula  is  5*-va]id  iff  ^  is  5-valid: 
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•  The  explicit-clock  translation  of  the  bounded-invariance  formula  p  —  □<{  q  is 

(p  A  t  =  z)  -♦  9  U  (t  >  z  -f  /), 

for  a  new,  rigid  variable  z  €  V  that  ranges  over  N  (recall  that  V  supplies  suitable 
variables  that  occtir  neither  in  the  description  of  5  nor  in  4>)- 

•  The  explicit-clock  translation  of  the  bounded-response  formula  p  — ♦  0<«  q  is 

(pAt  =  z)  -*  (t<z-(-ti)U9 

for  a  new,  rigid  variable  z  £V  that  ranges  over  N. 

Both  unless  formulas  use  the  rigid  variable  z  to  record  the  time  of  the  p-state.  In  the 
case  of  boxmded-response  properties  the  explicit-clock  translation  exploits  the  facts 
that  all  nm  fragments  of  5  are  deterministic  timed  state  sequences  and  that  the  time 
is  guaranteed  to  reach  and  surpass  x+u,  for  any  value  of  z.  We  emphasise  that  neither 
of  the  state  formulas  p  and  q  may  contain  free  occurrences  of  the  clock  variable  or  any 
of  the  delay  counters. 

Rom  the  properties  of  explicit-clock  transition  systems  that  we  have  inferred  in  Chapter  2, 
it  is  not  hard  to  conclude  that  the  cxplicit-clock  formula  is  indeed  5*-valid  iff  ^  is 
S-valid.  We  remark  that,  since  both  boimded-in variance  and  bounded-response  formulas 
define  safety  properties,  there  has  been  no  need  to  add  fairness  assumptions  to  the  explicit- 
clock  transition  system. 

Untimed  temporal  reasoning  about  real  time 

Our  observations  suggests  a  method  for  verifying  bounded-invariance  and  bounded-response 
properties  of  timed  transition  systems:  to  prove  the  5- validity  of  the  temporal  formula  we 
establish  instead  the  S*-validity  of  the  untimed  safety  formula  <f>*.  To  show  the  unbounded 
unless  formula  a  sin^e  untimed  unUss  rule  suffices  [89]: 

UNLESS  p  V  r) 

{v»}r*{vj  V  r} 

y  9 _ 

p  -*  9Ur 


r 

t 

s.. 

I 
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We  point  out  that  ell  three  premises  of  the  unless  rule  are  state  formulas  over  the  augmented 
St.  V*  of  %'ariables;  their  ^'-validity  is  usually  shown  by  proving  them  generally  valid.  The 
state  formula  ip  is  called  the  invariant  of  the  rule,  because  the  main  (i.e.,  second)  premise 
asserts  that  p  is  preserved  by  all  transitions  of  the  system  5*  (unless  the  desired  state 
condition  r  is  established). 

To  sec  that  the  rule  UNLESS  is  5*-sound  for  the  untimed  transition  system  S*  with 
the  set  T*  of  transitions,  suppose  that  the  three  premises  of  the  rule  arc  true  in  all  states 
that  occur  along  any  run  fragment  of  5',  and  consider  an  arbitrary  run  fragment  cr  of  S* 
that  contains  a  p^state  (Tj.  By  the  first  premise,  Ci  is  cither  an  r-state,  thus  satisfying 
the  consequent  of  the  rule,  or  the  invariant  ip  holds  at  (7^  The  second  premise  gu2Lrantees 
that  if  holds  at  all  subsequent  states  either  forever  or  until  an  r-state  is  encoimtered.  Since 
ip  implies  q  by  the  third  premise,  the  consequent  follows  in  cither  case. 

To  demonstrate  the  explicit-clock  style  of  reasoning  about  timing  properties,  we  look 
first  at  a  trivial,  yet  already  insightful,  example;  the  verification  of  a  more  elaborate  system 
will  be  carried  out  at  the  end  of  this  section.  Consider  the  single-process  system  P  with 
the  data  precondition  r  =  0  and  the  following  timed  transition  diagram: 

=  0} - ®— 


Both  the  lower  bound  on  the  termination  of  P, 

ready 

is  translated  into  the  explicit-clock  formula 

(ready  A  t  =  2)  (t  >  2  + 2), 

which  can  be  derived  by  the  unless  rule  from  the  invariant 

{atJx  A  i>  2)  y  {atJto  A  t  >  2  +  dc— 1) 

(we  write  do-»i  for  the  delay  counter  of  the  transition  recall  that  is  ranges  over  the 
set  {0, 1,2,3}  only).  The  upper  bound  on  the  termination  of  P, 

start  0<zatJi^ 
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is  translated  into  the  untimcd  unless  formula 

« 

(5<ari  A  t  =  r)  (t  <  2  +  3)  U  atUi, 

which  can  be  concluded  by  the  unless  rule  from  the  invaxiant 

ai^to  Ar  =  0A  2<t<2  +  3  At<2  +  do^i . 

The  asymmetry  of  the  invariants  for  establishing  the  lower  and  the  upper  bound  reflects  a 
subtle  difference  in  the  corresponding  arguments,  which  will  be  fully  exploited  in  the  next 
section,  where  we  will  devise  separate  proof  methodologies  for  deriving  lower  bounds  and 
for  deriving  upper  bounds. 

Relative  completeness 

Let  us  conclude  with  two  remarks  about  the  explicit-clock  style  of  proving  real-time  prop¬ 
erties  by  untimed  techniques: 

1.  The  method  applies  to  every  formula  (p  of  TPTL  or  MTL  that  can  be  faithfully 
translated  into  an  explicit-clock  formida  <p*\  that  is,  (p*  is  5'- valid  iff  ^  is  S-valid. 

2.  The  method  is  complete  relative  to  reasoning  about  the  data  domains.  This  is  because 
the  unless  rule  has  been  shown  complete,  relative  to  state  reasoning,  for  establishing 
unless  formulas,  provided  the  underlying  data  types  and  the  assertion  language  are 
sufficiently  powerful  to  encode  runs  of  transition  systems  [89].  It  follows  that  every 
bounded-invariance  and  bounded-response  property  of  5  can  be  shown  by  untimed 
reasoning: 

Theorem  6.1  (Relative  con^leteness  of  explicit-clock  reasoning)  Lei  S  be  a  timed 
transition  system  and  let  be  a  bounded-invariance  or  a  hounded-tesponse  formula.  If  (P 
is  S-valid,  then  the  unless  formula  ip*  can  be  derived  by  the  unless  rule  relative  to  state 
reasoning. 

6.2.2  Example:  Race  condition 

As  our  main  example,  we  present  a  multiprocessing  system  that  looks  innocent  at  first 
glance  but  turns  out  to  be  rather  intricate,  because  its  execution  time  depends  on  an 


230 


CHAPTER  6,  DEDUCTP/E  VERIFICATION:  PROGRAM  PART 


interesting  interplay  of  the  minimal  delays  and  maximal  delays  of  transitions  that  belong 
to  different  processes.  Consider  the  following  timed  transition  diagram  definition  of  the 
incremenU decrement  system: 


We  wish  to  analyze  the  worst-case  (maximal)  running  time  of  the  synchronous  two-process 
shared- variables  multiprocessing  system 

{^  =  l,y  =  0}[Pi||.P2]. 

Note  that  the  first  process,  Pi,  consumes  the  maximal  amount  of  time  if  its  first  loop,  in 
which  the  value  of  y  is  incremented,  is  executed  as  often  (fast)  as  possible  —  11  times:  the 
control  of  Pi  may  enter  the  first  loop  11  times  before  and  at  time  10,  the  latest  time  at 
which  the  second  process  closes  the  loop,  and  it  may  spend  another  10  time  units  in  the 
first  loop  after  the  guard  has  been  reversed.  In  this  worst  (slowest)  case,  the  first  loop  is 
left  at  time  20  with  y  =  11  and,  thus,  the  second  loop  may  use  up  no  more  than  110  time 
units.  It  follows  that  Pi  terminates  by  time  130. 

Assuming  that  assignments  cost  at  least  2  time  units  (instead  of  1),  tests  still  being  firee, 
the  maximal  value  of  y  would  be  only  6,  implying  termination  by  time  80:  the  increase  of 
individual  lower  bounds  decreases  the  composite  upper  bound!  This  phenomenon  vividly 
demonstrates  that  real-time  reasoning  amounts  to  more  than  simply  adding  up  minimal 
delays  or  maximal  delays  of  individual  transitions;  it  shows  that  lower-bound  and  upper- 
bound  requirements  are  not  independent,  but  may  jointly  affect  the  global  time  bounds  of 
a  system. 

Let  us  now  formally  prove  the  upper  bound  130  on  the  termination  of  Pi  by  explicit- 
clock  reasoning.  To  simplify  the  derivation,  we  may  assume  that  both  processes  start 
simultaneously  at  time  0.  Then  we  can  infer  the  explicit-clock  formula 

{start  A  t  =  =  0)  -*  (t  <  130)  U  atj\ 
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by  the  un/esi  rule  from  the  following  global  invariant: 

{atJl  A  at  4  A  (y  =  t  =  =  0  V  1  <  y  <  t  =  dg^j))  V 

iatJ.\  A  atJl  A  y  +  dj^o  <  t  =  do_i)  V 

{atJl  A  atJl  A  1  <  y  <  11  A  t  <  20)  V 

t  (atJl  A  at4  A  y  <  10  A  t  <  10  +  dj^o)  V 

{atJl  A  atJl  A  y  <  11  A  t  +  lOy  <  130)  V 

(at4  A  atJl  A  1  <  y  <  11  A  t  +  lOy  <  130  +  dJ^j). 

This  proof  of  timely  termination  resembles  a  mechanical,  exhaustive  case  analysis  of  all 
possible  state-time  combinations  that  can  occur  dtixing  an  execution  of  the  two  processes  of 
the  increment-decrement  system.  In  the  following  section,  we  will  introduce  an  alternative 
style  of  deriving  the  desired  bound  on  termination  that  follows  much  more  closely  the 
intuitive  argument  we  have  outlined  above. 


6.3  Bounded-operator  Reasoning 

In  this  section,  we  present  an  alternative,  and  quite  different,  proof  method  for  establishing 
boimded-response  and  botmded-invariauce  properties  of  the  given  timed  transition  system  5 
—  a  method  that  does  not  employ  the  clock  variable  t  or  any  other  reference  to  the  absolute 
time.  For  this  purpose,  we  formulate  the  property  we  wish  to  prove  using  the  time-botmded 
temporal  operators  of  MTL  and  employ,  without  detours,  a  deductive  system  for  deriving 
the  5- validity  of  bounded-invariance  and  bounded-response  formnlsis.  The  proof  rules  fall 
into  four  categories: 

1.  The  single-step  rules  derive  real-time  properties  that  follow  from  the  lower-bound  or 
upper-bound  requirement  for  a  single  transition. 

2.  The  transitivity  rules  combine  two  local  real-time  properties  of  the  same  type  —  that 
is,  either  two  boimded-invariance  properties  or  two  boimded-response  properties  — 

'  into  a  composite  timing  property. 

3.  The  induction  rules  combine  arbitrarily  many  local  real-time  properties  of  the  same 
type  into  a  global  timing  property. 

4.  The  crossover  rules  combine  local  real-time  properties  of  opposite  types  into  a  com¬ 
posite  timing  property. 
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At  the  end  of  this  section,  we  wiJl  show  this  proof  system  to  be  relatively  complete  for 
a  restricted  class  of  vcrificatioii  problems  and  discuss  some  of  the  limitations  of  bounded- 
operator  reasoning. 

6.3*1  Deterministic  rules 

First  we  present  the  bounded- operator  methodologv'  for  verifying  deterministic  systems:  a 
timed  transition  system  5  is  called  deiermintsiic  if  any  two  guards  that  are  associated  with 
outgoing  edges  of  the  same  vertex  in  the  timed  transition  diagram  representation  of  S  arc 
disjoint.  Nondeterministic  systems  require  more  complex  (conditional)  single-step  reasoning 
and  will  be  treated  in  the  next  subsection. 

Single-step  rules 

The  single-step  lower-hound  rule  uses  the  minimal  delay  Ir  €  N  of  a  transition  r  C  7"  to 
infer  a  bounded-unless  formula: 

U-SS  p  — ►  -icna6Ici(r) 

{vj}T-t{v5} 

(y>  A  enahled{T))  r 
P  9U>^r 

The  rule  U-SS  derives  a  temporal  (bounded-unless)  formula  from  premises  all  of  which  are 
state  formulas,  whose  S-validity  is  usually  shown  by  proving  them  generally  valid.  The 
state  formula  ^  is  called  the  invariant  of  the  rule.  Choosing  r  to  be  true,  the  rule  infers  a 
boimded-invariance  property, 

P  ^  °<tr^ 

(note  that  the  last  premise  holds  trivially  in  this  case).  To  sec  why  the  rule  U-SS  is  S-sound, 
observe  that  whenever  the  transition  r  is  not  enabled,  it  cannot  be  taken  for  at  least  4  time 
units. 

The  single-step  upper-bound  rule  uses  the  maximal  delay  itr  €  N  of  a  transition  r 
to  infer  a  bounded-response  formula: 
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1 


0-SS 


P  -♦  (y>  V  j) 
ip  —*  cnablcd^r) 
{<p}T-t{ip  V 


0<u.9 


This  rule  derives  a  temporal  bounded-response  formula  from  premises  all  of  which  are  state 
formulas.  The  state  formula  ip  is  again  called  the  invariant  of  the  rule.  To  see  why  the  rule 
O-SS  is  5-sound,  recall  that  the  transition  t  has  to  be  taien  before  it  would  be  continuously 
enabled  for  more  than  Ur  time  units. 

To  demonstrate  a  typical  application  of  the  single-step  rules,  we  consider  again  the 
single-process  system  P  with  the  data  precondition  i  =  0  and  the  following  timed  transition 
diagram: 


(*  =  0} - 


The  process  P  confinns  that  r  =  0  and  proceeds  to  the  location  /i.  Because  of  the  delay 
interval  [2,3]  of  the  transition  ro—i,  the  final  location  ti  cannot  be  reached  before  time  2 
and  must  be  reached  by  time  3.  Using  single-step  reasoning,  we  can  carry  out  a  formal 
proof  of  this  analysis.  The  bounded-invariance  property  that  P  does  not  terminate  before 
time  2, 

ready 

is  established  by  an  apphcation  of  the  sin^e-step  lower-bound  rule  U-SS  with  respect  to 
the  transition  to^i  (let  the  invariant  9  be  at-f  The  bounded-response  property  that  P 
terminates  by  time  3, 

eiari 

follows  from  the  single-step  upper-bound  rule  O-SS  with  respect  to  the  transition  r©— 1  (use 
the  invariant  atj^i  A  x  0). 
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Transitivity  rules 

To  join  a  finite  number  of  successive  real-time  constraints  into  a  more  complicated  real¬ 
time  property,  we  introduce  transitivity  rules.  The  trccsitire  lower^bound  rule  ombincs 
two  bounded-unless  formulas: 


We  refer  to  the  formula  x  ^  rule.  The  transiiive  upptT'-bound  rule  combines 

two  bounded- re  spouse  formulas: 


The  formula  x  «  again  called  the  ZinJb  of  the  rule.  Both  transitivity  rules  are  easily  seen  to 
be  generally  sound  as  well  as  5- sound  for  every  timed  transition  system  S. 

We  demonstrate  the  application  of  the  transitivity  rules  by  examining  the  single-process 
system  P  with  the  following  timed  transition  diagram: 

{*  =  0} 


We  wan't.  to  show  that  P  terminates  not  before  time  4  and  not  after  time  6.  First,  we  prove 
the  lower  bound  on  the  termination  of  P: 

ready  — *  Ll<4-icl^2. 

B;  the  transitive  lower-bound  rule  U-TBANS,  it  suffices  to  show  the  two  premises 

(1) 


/ 

/  A 


ready  -*  (-lot-fj)  U>j  at.A)i 
ot-fo  -*  (-'at-f2)U>2  true. 


(2) 
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Both  premises  can  be  established  by  singk-step  lower-bound  reasoning.  To  show  the 
premise  (1),  we  apply  the  rule  U*SS  with  respect  to  the  transition  To-*i,  using  the  in- 
v'ajiant  ct  the  premise  (2)  follows  from  the  rule  U-SS  with  respect  to  the  transition 
ri«*2  the  in\"ariant  aiUo^i, 

The  upper  bound  on  the  termination  of  P, 

stavi  — ♦  0<8C<-/2, 

is  concluded  by  the  transitive  upper-bound  rule  0-TRANS.  It  suffices  to  show  the  premises 

start  -♦  0<3(at-fi  A  x  =  0), 

{atJti  A  X  =  0)  —♦  0<3  at^2) 

both  of  which  can  be  established  by  single-step  upper-bound  reasoning  (use  the  invariants 
atJc  A  X  =  0  and  atJi  A  x  =  0,  respectively).  Note  that  for  lower-bound  reasoning  the 
link  at  Jo  identifies  the  last  state  before  the  transition  tq^i  is  taken,  while  for  upper-bound 
reasoning  the  link  at  j^i  A  x  =  0  refers  to  the  first  state  after  to-*i  is  taken. 

For  an  example  with  a  (deterministic)  branching  structure,  consider  the  process  P'  with 
the  following  timed  transition  diagram: 


We  show  that  terminates  either  at  time  3  or  at  time  4.  The  proof  requires  a  case  analysis 
on  the  initial  value  of  x,  which  determines  which  path  of  the  transition  diagram  is  taken. 
The  lower  bound 

ready  — ►  0<3-«af^3 

is  implied  by  the  two  bounded-invariance  formulas 


(ready  A  x  =  0)  □<3~'at.is, 

(ready  A  x  9^  0)  -♦  ^<3 
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both  of  which  can  he  derived  by  transitive  lower-bound  reasoning  (as  links  use  the  two  state 
formulas  A  x  =  0  and  A  x  ^  0,  respectively).  The  upper  bound 

start  0<4  aiJtz 

follows  by  a  similar  case  analysis  and  transitive  upper-bound  reasoning. 

So  far  we  have  examined  only  single-process  examples.  In  general,  several  processes  that 
communicate  through  shared  variables  interfere  with  each  other.  Consider  the  synchronotis 
two-process  shared-variables  multiprocessing  system  with  the  data  precondition  x  =  1  and 
the  following  timed  transition  diagrams: 

Pi: 

{*  =  1} 

Pi: 

The  first  process,  Pi,  is  identical  to  a  previous  example;  with  a  minimal  delay  of  2  time 
units  and  a  maximal  delay  of  3  time  units,  it  coniinns  that  x  =  0  and  proceeds  to  the 
location  Zj.  However,  this  time  the  value  of  x  is  not  0  from  the  very  beginning,  but  set  to  0 
by  the  second  process,  Pj,  only  at  time  1.  Thus,  Pj  can  reach  its  final  location  ll  no  earlier 
than  at  time  3  and  no  later  than  at  time  4. 

For  a  formal  proof  we  need  the  transitivity  rules.  The  bounded-invariance  property 

ready 

is  established  by  an  application  of  the  transitive  lower-bound  rule  U-TRANS.  It  suffices 
to  show  the  premises 

ready  A  x  =  1), 

A  *  =  1)  -*  (->otj})U>j  true, 

both  of  which  follow  from  single-step  lower-bound  reasoning.  Similarly,  the  transitive  upper- 
bound  rule  0-TRANS  is  used  to  show  the  bounded-rcspoiiit?  property 

start  -♦  0<4  atj\ 

from  the  link  atJl  A  x  0. 
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Induction  rules 

To  prove  lo«rcr  and  upper  bounds  on  the  execution  time  of  program  loops,  we  need  to 
combine  a  state-dependent  number  of  bounded-invariance  or  bounded- response  properties. 
For  this  purpose  it  is  economical  to  have  induction  schemes. 

The  inductive  lower-bound  rule  U-IND  generalizes  the  transitive  lower-bound  rule  U- 
TRANS;  it  combines  a  potentially  large  number  of  similar  bounded-unless  formulas  in 
a  single  proof  step.  Assume  that  the  new,  rigid  variable  i  €  V*  ranges  over  the  natural 
numbers  N;  for  any  n  €  N: 

U-IND  (ip{i)  A  t  >  0)  pU>/y(s-l) 

^(n)  pU>n./v^(0) 

By  -  1)  we  denote  the  state  formula  that  results  from  the  inductive  invariant  by 
replacing  aU  occurrences  of  the  variable  t  with  the  expression  t  —  1;  the  formulas  ^(n) 
and  ip{0)  are  obtained  analogously.  Note  that  every  instance  of  the  rule  U-IND,  for  any 
constant  n  G  N,  is  derivable  from  the  transitive  lower-bound  rule  U-TEANS. 

For  a  demonstration  of  inductive  lower-bound  reasoning,  we  consider  the  following  single- 
process  system  P: 


The  process  P  decrements  the  value  of  *  until  it  is  0,  at  which  point  P  proceeds  to  the 
location  Since  z  starts  out  with  the  value  5,  and  each  decrement  operation  takes  at 
least  2  time  units,  while  the  tests  are  instantaneous,  the  final  location  £2  cannot  be  reached 
before  time  10.  This  lower  bound, 

ready  — ♦ 

follows  by  transitivity  and  monotonicity  from  the  two  bounded-unless  properties 


ready  -►  U>2  A  *  =  5), 


(1) 
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(atJi  A  s  =  5)  (-^atJ2)U>B(atJi  A  x  =  1).  (2) 

The  first  property,  (1),  is  enforced  by  two  single-step  lower  bounds;  the  second  property, 
(2),  can  be  derived  by  the  inductive  lower-bound  rule  U-IND  from  the  premise 

(af  Ax  =  t+1A»>0)  (^aiJ2)  U>2  A  x  =  t), 

which  is  concluded  by  transitive  reasoning. 

The  inductive  lower-bound  rule  has  a  twin  that  combines  several  similar  boxmded- 
response  formulas  by  adding  up  there  upper  bounds  u.  In  fact,  both  induction  rules  can  be 
generalized,  by  letting  the  bounds  I  and  u  vary  as  functions  of  i.  In  its  more  general  form, 
we  state  only  the  inductive  upper-bound  rule.  It  uses  again  a  new,  rigid  variable  t  E  V  that 
ranges  over  the  natural  numbers  IM;  for  any  n  €  N: 


O-IND  (v9(t)  A  t  >  0)  0<ui  <p(i  “  1) 


¥>(n)  -»  C><r,^.^,^.V?(0) 


Every  instance  of  this  rule  is  derivable  from  the  transitive  upper-bound  rule  O-TRANS. 
The  general  form  of  the  inductive  upper-boimd  rule  is  useful  to  prove  upper  bounds  for 


programs  with  loops  whose  execution  time  is  not  uniform.  An  example  for  such  a  system 
is  the  following  odd-even  variant  of  the  process  P: 


(the  expression  even(i)  evaluates  to  either  1  or  0  depending  on  whether  the  value  of  t  is 
even).  This  bounded-response  formula  follows  from  transitive  reasoning. 
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Crossover  rules 

So  far  we  have  presented  only  proof  rules  that  combine  properties  of  the  same  type.  However, 
as  the  incrcmcnUdecrcmeni  example  of  Subsection  6.2.2  has  demonstrated,  the  addition 
of  delays  of  the  same  type  is  insufficient  for  deriving  all  bounded*  in  variance  and  bounded* 
response  properties  of  a  timed  transition  system:  both  local  lower  bounds  and  upper  bounds 
may  jointly  affect  a  global  bounded-invariance  (or  bounded-response)  property. 

Specifically,  to  mimic  the  informal  argument  for  the  timely  termination  of  the  incremenU 
decrement  system  by  a  bounded-operator  proof,  we  need  the  crossover  upper-bound 
rule: 


This  rule  is  a  modification  of  the  temporal  formtila 

(0<uP  A  C<£g)  0<uip  A  g), 

which  is  valid  if  ti  <  /.  We  need  the  more  complicated  rule  because  the  reasoning  about 
about  lower  and  upper  bounds  is*  asymmetrie:  while  botmded-invariance  formulas  refer, 
intuitively,  to  the  last  state  before  a  transition  is  taken,  bounded-response  formulas  refer 
to  the  first  state  after  a  transition  was  tuken.  This  phenomenon  is  captured  by  the  inverse 
verification  condition 

{p}(^-rrr  {5}. 

which  asserts  that,  in  any  run  fragment  (er,  T)  of  S,  if  Ci+i  is  a  jj-state  and  r.+i  /  (Tj,  then  a,- 
is  a  g.state;  note  that,  in  this  case,  Tj+i  =  Tj,  because  all  run  fragments  are  deterministic 
timed  state  sequences.  Also  observe  that  for  any  state  (T{  in  a  run  fragment  such  that  (t,- 
falsifies  the  ready  condition,  there  is  a  run  that  contains  a  predecessor  state  that  is  different 
from  tTi.  The  S^soundness  of  the  rule  O-MLX  follows. 


240 


CHAPTER  6.  DEDUCTIVE  VERIFICATION:  PROGRAM  PART 


We  give  here  only  a  brief  sketch  of  the  bonnded-operatcr  proof  for  the  bounded- response 
property 

start  O<izo  CLtJ\ 

of  the  incremenUdecrcment  system.  The  derivation  relies,  as  expected,  on  an  interplay 
of  lower-bound  and  upper-bound  rules.  First  we  show  that  within  10  time  units  Pi  can 
increase  the  value  of  y  at  most  to  10: 

ready  □<!!  (y  <  10); 

this  is  done  by  inductive  lower-bound  reasoning.  Then  we  apply  the  crossover  upper-bound 
rule  O-MIX  to  the  single-step  upper  bound 

start  -♦  A  2  =  0), 

thus  obtaining  the  bounded-response  property 

start  O<io(y  <  10  A  atJ^  A  s  =  0). 

Prom  here  we  proceed  by  pure  upper-boimd  reasoning,  performing  a  case  analysis  on  the 
locations  of  Pi . 

The  incremenUdecrsment  example  illustrates  the  trade-off  between  boimded-operator 
reasoning  and  explicit-clock  reasoning  beautifully.  Compare  the  two  proofs  of  the  upper 
bound  on  termination:  while  the  bounded-operator  (or  “hidden-clock”)  style  of  real-time 
verification  of  this  section  refers  to  time  only  through  the  relative  offsets  of  time-constrained 
temporal  operators,  the  explicit-clock  style  of  the  previous  section  uses  ordinary  tmtimed 
temporal  operators  and  refers  to  the  absolute  time  in  state  formulas.  Both  styles  trade  off 
the  complexity  of  the  temporal  proof  structme  against  the  complexity  of  the  state  invariants: 

•  The  hidden-clock  approach  relies  on  complex  proof  structures  similar  to  the  proof 
lattices  for  establishing  ordinary  (untimed)  liveness  properties  [105,  90]  and  uses  rel¬ 
atively  simple  load  invariants. 

•  The  explicit-clock  method  employs  only  the  plain  unless  rule  —  an  (imtimed)  safety 
rule  —  but  requires  a  powerful  global  invariant. 

While  the  crossover  upper-bound  rule  combines  a  bounded-invariance  property  and  a 
bounded-response  property  into  a  bounded-response  property,  its  counterpart,  the  crossover 
lower-bound  rule,  3rields  a  boimded-unless  property: 
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U-MIX  u 

<i 

P 

°<ip 

- 

o<uq 

{p}r 

-  ri  {?} 

4 

— 

g  U  ( j  A  -.p) 

p 

This  rule  is  5'Soimd,  because  it  originates  with  the  valid  temporal  formula  (for  u  <  /) 
(□</p  A  0<u(gU  (g  A -ip)))  pi}>id. 

Note  that  the  last  premise,  which  contains  only  an  unbounded  unless  operator,  can  be 
established  by  untimed  reasoning.  In  the  following  subsection,  we  will  move  further  into 
this  direction  by  delegating  as  much  of  the  derivation  of  timing  properties  as  possible  to 
conventional  untimed  proof  systems. 

The  crossover  lower-bound  rule  U-MIX  can  be  used  to  derive  the  lower  bound 

ready  ^<2 

of  the  incremenUdecremeni  system. 

6.3.2  Conditional  rules 

Unforttmatcly,  the  proof  rules  we  have  designed  are  not  strong  enough  to  show  tight  bounds 
on  nondeterminisiic  systems.  To  see  this,  consider  the  following  nondeterministic  variant  P 
of  a  process  cncoimtered  previously: 


As  before,  P  terminates  either  at  time  3  or  at  time  4.  However,  during  an  execution  of  P, 
one  of  the  two  transitions  and  to-.2  is  chosen  nondeteiministically.  Thus  we  cannot 
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carry  out  a  case  analysis  with  respect  to  a  state  formula  that  selects  a  unique  guard.  Instead, 
we  proceed  in  two  steps.  First  we  establish  an  untimed  safety  formula  that  enumerates  all 
possible  nondeterministic  choices.  Then  we  decorate  the  unbounded  temporal  formula  with 
time  bounds. 

Step  1  To  establish  th;  :  -validity  of  a  temporal  formula  4>  that  contains  only  unbounded 
unless  operators  (i.e.,  U>o  ),  it  suffices  to  show  that  <j>  is  true  over  all  run  fragments 
of  the  imtimed  transition  system  S"  that  underlies  5.  This  can  be  achieved  with 
the  help  of  any  conventional  untimed  proof  system  (for  instance,  the  proof  system  of 
Manna  and  Pnueli  [91])^ 

For  example,  to  derive  the  lower  bound  3  on  the  termination  of  our  example  P,  we  show 
the  imtimed  formula 

ready  ((atwix  U""  at  Jc  at  Ji)  V  (t) 

(nested  unless  operators  associate  to  the  right). 

Step  2  To  add  time  bounds  to  this  disjunction  of  nested  unless  formulas,  we  need  con- 
diiional  single-step  rules.  They  establish  single-step  real-time  bounds  under  the  as¬ 
sumption  that  a  particular  disjunct  has  been  chosen.  The  time  boimds  can,  then,  be 
combined  by  the  transitivity  rules  and  conditional  crossover  rules. 

Nondeterministic  lower  bounds 

The  conditional  single-step  lower-bound  rule  uses  the  minimal  delay  4  €  N  of  a  transition 

reT: 

U-CSS  p  — ►  -iena61ei(r) 

_ {g}r-T{g  V  -^r} _ 

(pU>,5U+(r  A  (^))  -»  (pU$jgU^,^(r  A  ^)) 

The  rule  U-CSS  is  5-sound  for  any  temporal  formula  4>- 

In  our  example,  we  use  the  conditional  single-step  lower-bound  rule  U-CSS  with  respect 
to  the  transitions  ro-»x  2  to  derive  the  conditional  single-step  bounds 

(aUxU+otJoU+aUi)  -»  (oUiU+ otJoU^joUi). 


/ 


6.2.  BOUNDED-OPERATOR  REASONING 


243 


{atJj,V^  atJoVt^aUiY 

They  aJJow  ns  to  conclude,  ixom  (j), 

ready  {{aU^  at  Jo  aU^)  V  (atJj.  ctJoUti  aUj)).  (J) 

To  collapse  nested  bounded-unless  operators,  we  use  the  temporal  formula  U-COLL: 

U-COLL  ((pv  q)^>ii^h<f>) 

Note  that  this  temporal  formxila,  which  is  generally  valid,  can  be  derived  by  from  transitive 
lower-bound  rule  U-TRANS  by  using  the  two  tautologies 

(pU>(,  gU>t3  <^)  (pU>;,  gU>/2 

(€U>/2^)  UU>i3^). 

From  ({)  we  obtain  by  collapsing  and  monotonicity 

ready  — ►  ((at-/o  U>2  V  (at-/o  at-f2)); 

that  is,  using  the  (untimed)  validity  p  p  U  p  and  monotonicity, 

r^ady  ((at Jo  Ujj  at  Ji  U+  atJi)  V  (at Jo  at Jj)). 

Adding  conditional  single-step  lower  bounds  for  the  transitions  Ti«*3  and  T2-*3  gives 

ready  -♦  ((at  Jo  U>2  at  Ji  at  Ji)  V  (at  Jo  U>i  at  J2  U>j  at  J2)), 

and  by  collapsing  and  monotonicity  we  ilnally  arrive  at  the  desired  bounded-invariance 
property 

ready  □<3~iatJ3. 

Nondeterministic  upper  bounds 

Conditional  upper-bound  reasoning  does  not  require  the  nesting  of  unless  operators.  The 
conditional  single-step  upper-bound  rule  uses  the  maximal  delay  tir  €  N  of  a  transition 
reT: 
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0-CSS  p  — *  enabhdir) 

{p}T{-np} _ 

(pU<fr)  -►  O<„^0 

Clearly,  the  rule  0-CSS  is  S- sound  for  any  temporal  formula  Note  that  the  second 
premise  of  this  rule  is  trivially  'V'alid  if  r  becomes  disabled  by  being  taken,  as  is  the  case 
for  all  transitions  of  a  timed  transition  system  that  is  given  by  timed  transition  diagrams 
(recall  that  we  have  ruled  out  self-loops  in  transition  diagrams).  It  is  also  worth  pointing 
out  that  both  conditional  lower-bound  and  conditional  upper-bound  reasoning  rely  only  on 
assumptions  that  are  built  only  from  state  formulas  by  positive  boolean  connectives  and 
unboimded  unless  operators  and,  therefore,  define  \mtimed  safety  properties.  Accordingly, 
the  first  step  of  conditional  reasoning  can  be  carried  out  by  any  untimed  method  for  deriving 
safety  properties. 

To  derive  the  upper  bound  4  on  the  termination  of  our  example  P,  we  show  first  the 
untimed  formula 

start  — ♦  {[aiJLQXi  aiJLi)  V  (a<-io  U  at-/2))- 

By  the  conditional  single-step  upper-bound  rule  O-CSS  with  respect  to  the  transitions  to—i 
and  ro—2,  we  derive  the  conditional  single-step  bounds 

(at-^o  U  0<2  at-ii, 

(at^o  U  atJL^)  ^  0<2  aiJL^* 

They  allow  us  to  conclude 

start  -♦  (0<2  at  Ji  V  0<2  at  J2)- 

Now  we  can  proceed  by  unconditional  upper-boimd  reasoning  to  arrive  at  the  desired 
bounded-response  property 

start  0<4atjf3. 


Conditional  crossover  reasoning 

For  combining  assumptions  that  contain  both  lower  bounds  and  upper  bounds,  we  need  the 
conditional  crossover  lower-bound  rule  U-CMIX  and  the  conditional  crossover  upper^bound 
rule  O-CMDC: 


6.3.  BOUNDED- OPERATOR  REASONING 


245 


Both  crossover  rules,  which  really  are  schemas  of  valid  temporal  formulas,  will  be  essential  j 

for  the  proof  of  relative  completeness  of  conditional  bounded-operator  reasoning.  j 

I 

6.3.3  Relative  completeness  | 

Suppose  we  are  given  an  untimed  proof  system  that  is  complete  for  nested  unless  formulas.  j 

Although  such  a  proof  system  cannot  exist  for  most  data  domains,  there  are  temporal  proof  | 

systems  that  are  complete  relative  to  state  reasoning  [92].  Assuming  that  aD  untimed  safety  ^ 

prpperties  of  the  given  timed  transition  system  S  can  be  derived,  we  prove  two  results  about  j 

tlae  power  of  bounded-operator  reasoning:  | 

1.  First,  we  use  the  simplifying  assumption  that  the  nontrivial  timing  constraints  of  S  are  | 

cithei  all  delays  or  all  maximal  delays.  This  case  does  not  require  crossover  | 

reasoning,  and  our  proof  system  (without  crossover  rules)  can  indeed  derive  every  | 

bounded-invariance  and  bounded-response  property  of  5.  We  prove  relative  com-  | 

pleteness  by  constructing  a  “constraint  pattern”  of  transition  delays  for  any  given  | 

property.  This  technique  can  be  generalized  to  the  following  case.  | 

I 

2.  Secondly,  we  show  that  our  proof  system  (with  crossover  rules)  can  derive  every  | 

bounded-invariance  and  bounded-response  property  that  satisfies,  relative  to  the  given  j 

timed  transition  system  5,  the  sufficient  condition  of  stability.  Roughly  speaking,  a  | 

temporal  formula  ^  will  be  called  stable  for  S  iff  the  truth  of  ^  at  any  state  along  a  | 

run  of  S  can  be  determined  without  any  information  about  the  history  of  the  run.  j 

I 

In  addition,  we  will  argue  that  bounded-operator  reasoning,  as  we  have  presented  it,  is  j 

strictly  less  powerful  than  explicit-clock  reasoning  and  cannot  be  used  to  derive  every  | 

boimded-invariance  and  bounded-response  property  of  S.  | 
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Theorem  6.2  (Relative  completeness  of  bounded-operator  reasoning)  (The  uni- 
directjonal  case)  Let  S  —  (T,0,T, /,  u)  be  an  operational  timed  tranfition  system  such  that 
either  R  —  0  for  all  r  ^  T  or  Ur  —  oc  for  all  r  £  T.  Let  ^  be  a  bounded-mvariance  or 
a  bounded-response  formula.  If  4>  ts  S-valid,  then  it  can  be  derived  by  the  monotonicity, 
transitixnty,  and  conditional  single-step  rules  relative  to  untimed  safety  reasoning. 

Proof  of  Theorem  6.2  (1)  Suppose  that  all  maximal  delays  of  5  are  oo.  First  we  observe 
that,  under  the  given  restrictions,  untimed  reasoning  is  complete  for  untimcd  properties 
of  5.  This  is  because  in  the  absence  of  finite  maximal  delays  there  is  a  time  sequence  T 
for  every  run  fragment  <r  of  the  untimed  weakly-fair  transition  system  5^  that  underhes  5 
such  that  ((T,T)  is  a  run  fragment  of  5  (choose  all  time  steps  large  enough).  It  follows  that 
any  untimed  temporal  formula  that  is  S-valid  is  also  valid  and,  thus,  can  be  established 
by  untimed  reasoning. 

Any  bounded-response  property  is  either  trivially  not  S-'-alid  or  can  be  established  by 
untuned  reasoning.  Now  suppose  that  the  bounded-invariance  property 

P  -*  (1) 

is  S-valid;  we  show  that  it  can  be  derived  within  our  proof  system.  The  tnain  idea  is  to  see 
that  in  order  for  (1)  to  be  valid,  for  any  p-state  in  a  run  of  S  there  has  to  be  a  sequence  of 
nonoverlapping  single-step  lower  bounds  that  add  up  to  at  least  I  before  a  q-state  can  be 
reached.  We  show  that  there  are  only  finitely  many  such  ways  in  which  a  q-state  can  be 
delayed  for  I  time  units;  hence  they  car.  be  enumerated  by  a  single  untimed  formula. 

Consider  an  arbitrary  run  fragment  p  =  (r.T)  of  S  such  that  a,  i  >  0,  is  a  p-state. 
Let  <r,  be  the  first  9-state  with  J  >  t;  if  no  such  state  exists,  kt  j  =  00.  We  write  r*  for  the 
transition  that  is  completed  at  position  h  >  0  of  p.  A  lower-bound  /-constraint  pattern  for 
is  a  finite  sequence  of  nonoverlapping  single-step  lower  boimds  between  t  and  j  that 
add  up  to  at  least  1.  Formally,  a  constraint  pattern  C  is  a  sequence  of  transitions  r<, , . . .  n.  • 
The  pattern  C  is  a  lower-bound  /-constraint  pattern  iff 

l<*<n 

it  is  a  lower-bound  constraint  pattern  for  (Ti„j  iff 
(a)  *  =  »o  <  »i  <  •  •  •  <  in  <  y  and 
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(b)  for  all  1  <  it  <  n,  the  transition  is  not  enabled  on  some  state  such 
that  u_i  <  jk  <ik 

A  lower-bound  constraint  pattern  for  (Ti  ^j  can  be  visualised  by  annotating  the  run  fragment  p 
with  backward  arrows  that  represent  smgle-stcp  lower  bounds: 


h  *1  ;2  *2 


Two  constraint  patterns  are  equivalent  iff  one  is  a  subpattem  of  the  other  (i.e.,  can  be 
obtained  by  omitting  transitions).  It  is  not  hard  to  show  the  following  two  properties  of 
lower-bound  constraint  patterns: 

Property  A  There  is  a  lower-bound  /-constraint  pattern  for  <Ti,j  (use  the  truth  of  (1)  over 
the  t-th  sufSx  of  p). 

Property  B  There  are  only  finitely  many  different  equivalence  classes  of  lower-bound  1- 
constraint  patterns. 

We  add,  for  every  transition  r  €  T,  the  boolean  variable  completed^  to  our  language;  it 
is  intended  to  be  true  in  a  state  (r,',  t  >  0,  of  a  run  p  =  (^,t)  iff  the  transition  r  is  completed 
at  position  t  of  p.  For  our  purpose,  it  turns  out  to  be  sufficient  that  completed^  satisfies 
the  two  axioms 

{ (me}  T  {  completed^  } , 

{(me)  T  -  r  {‘•^comp'eied^}.  (t) 

By  Property  A,  there  is  an  untimed  fonxmla  of  the  form 

(“•?)  U  A  ^enabl€d{ri^ ))  {^q)  U"**  A  compleied^^^ )  U"**  ... 

A  compleied^^) 

that  is  true  over  the  t-th  suffix  of  p.  Since  there  are,  by  Property  B,  only  finitely  many 
formulas  of  this  form,  p  ^  for  some  finite  disjunction  xj;  of  nested  unless  formulas  is  5- 
valid  and,  thus,  given  by  untimed  reasoning.  From  (t)  we  infer  by  the  condirional  single-step 
lower-botmd  rule  U-CSS  with  respect  to  any  transition  t  €  T  that 

(-»ena6Icd(r))  tp  [completed^  A 

(-nennb/€<f(r))U>|¥?U>|^  (complcfoi^  A 
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for  any  state  forinula  (p  and  temporal  formula  (j>.  Hence  we  can  decorate  the  untimed 
nested  tudess  formula  with  time  bounds.  By  repeated  collapsing  and  mcnotcnicity  similar 
to  the  sample  lower-bound  derivation  above,  we  arrive  at  the  desired  bounded-invexiance 
property  (1). 

(2)  Now  suppose  that  all  minimal  delays  of  5  arc  0;  the  proof  proceeds  similarly  to 
the  previous  case.  Untimed  reasoning  is  complete  for  untimed  properties  of  5,  because  S 
is  operational.  Any  bounded-in^'ariance  property  is  cither  trivially  not  5-valid  or  can  be 
established  by  untimed  reasoning.  So  let  us  assume  that  the  bounded-response  property 

p  0<u^  (2) 

is  S-valid.  Consequently,  every  p-state  in  a  run  of  S  has  to  be  followed  by  a  ^-state  that 
can  be  reached  by  a  sequence  of  overlapping  single-step  upper  bounds  that  add  up  to  at 
most  u.  We  visualize  siiide-step  upper  bounds  by  forward  arrows: 


i'  - 1 


*1  «2 


Formally,  let  p  =  («r,T)  be  a  run  fragment  of  5  such  that  t  >  0,  is  ap-state,  and  let  ej 
be  the  first  g-state  with  j  >  i.  For  the  sake  of  simplicity,  we  assume  that  the  transition  .fc, 
which  is  completed  at  the  position  Jk  >  0  of  p,  is  not  enabled  on  (otherwise  split 
into  two  identical  transitions  with  different  names).  A  constraint  pattern  is  an 

upper-bound  u-constraint  pattern  iff 

E  <«; 

l<S<n 

it  is  an  upper-bound  constraint  pattern  for  iff 

(a)  f  =  io  <  *1  <  ‘  <  in-i  <  i  <  in  and 

(b)  for  all  1  <  i;  <  n,  the  transition  is  enabled  but  not  completed  at  all 
states  such  that  i^-i  <  jk  <  is* 

It  is  not  hard  to  see  that  upper-bound  constraint  patterns  also  satisfy  the  two  crucial 
properties: 
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Property  A  There  is  an  tippcr-boimd  li-constramt  pattern  for  eri^,j  (use  the  truth  of  (2) 
over  the  t-th  sufHi  of  p). 

Property  B  There  are  only  finitely  many  diiTerent  equivalence  classes  of  upper-bound 
u- constraint  patterns  (use  the  operationality  of  5). 

By  Property  A,  there  is  an  untimed  formula  of  the  form 

(ennfc/ed(Tjj)  A  -»comp/efcd^.^ ) U  (cna6ici(r*2)  A  completed ... 

U  (ena6ied(Ti^)  A  completed \J  q 

that  is  true  over  the  i-th  sufEx  of  p.  By  Property  B,  there  is  again  a  finite  disjunction 
of  nested  unless  formulas  such  that  the  implication  p  xp  is  5-valid  and,  therefore,  given 
by  untimed  reasoning.  By  repeated  application  of  the  conditional  single-step  upper-bound 
role  O-CSS,  transitivity,  and  monotonicity,  we  arrive  at  the  desired  bounded-response 
property  (2).  More  specifically,  to  collapse  nested  bounded-eventuaUy  operators,  we  can  use 
the  valid  temporal  formula  0*C0LL,  which  is  derivable  from  the  transitive  upper-botmd 
rule  O-TRANS: 


0*C0LiB  (^<ui  0 


The  need  for  history  information 

Now  let  us,  as  promised,  generalixe  the  relative  completeness  result  to  timed  transition 
systems  that  contain  both  nontrivial  Tninimal  delays  and  nontrivial  maximal  delays.  To 
illiutrate  some  of  the  complications  that  arise  in  the  general  case,  we  consider  the  syn¬ 
chronous  twchprocess  multiprocessing  system  with  the  following  timed  transition  diagram 
definition: 


250 


CHAPTER  6.  DEDUCTHH  VERIFICATION:  PROGRAM  PART 


Both  processes  of  this  system  operate  perfectly  srachronous,  at  the  exact  same  speed,  but 
they  are  “out  of  phase.”  because  the  second  process,  Pj^  starts  to  loop  only  1  time  unit 
after  the  first  process,  Pi.  For  instance,  the  boxmded-rcsponse  formula 

at4  0<:at4  (f) 

is  S-valid  for  the  timed  transition  system  5  that  is  associated  with  the  concrete  system 
Pi  II, Pi-  A  proof  of  the  bounded-response  property  (f)  in  the  ciplicit-clock  style  of  reasoning 
uses  the  delay  counters  of  transitions  in  an  essential  way.  Since  we  have,  in  the  version  of 
bounded-operator  reasoning  that  we  have  presented,  no  way  of  referring  to  the  history  of  a 
state  in  a  run,  we  cannot  derive  the  property  (f).  This  deficiency  can,  of  course,  be  remedied 
by  introducing  a  mechanism  whose  expressiveness  is  equivalent  to  explicit  delay  counters. 
One  option  that  preserves  the  flavor  of  bounded-opciator  reasoning  is  the  addition  of  time- 
constrained  pest  temporal  operators  for  referring  to  the  immediate  history  of  a  state  in  a 
run  of  a  system.  Here  we  choose  not  to  pursue  this  extension,  but  rather  prove  the  relative 
completeness  of  botinded-operator  reasoning  for  a  restricted  set  of  verification  problems 
only.  For  this  purpose,  we  define  the  notions  of  lower-bound  and  upper-bound  stability. 

Stable  properties 

A  state  formula  p  is  called  lower^bound^stable  for  the  timed  transition  system  5  iff  for  every 
run  (o’,T)  of  S  and  all  i  >  0, 

if  is  a  p- state  and  is  not  a  p-state  and  the  transition  r  6  T  is  enabled 
on  both  <Ti  and  then  4-0. 

The  formula  p  is  upper-bouTid-siable  for  S  iff  for  every  run  (<r,T)  of  S  and  all  i  >  0, 

(To  is  not  a  p-state,  and  if  (Tt+i  is  a  p-state  and  Ci  is  not  a  p-state  and  the 
transition  r  E  T  is  enabled  on  both  Ci  and  crj+i,  then  Ur  =  oo. 

For  instance,  the  ready  condition  ready  is  lower- bound- stable  for  every  timed  transition 
system  5  and  the  synchronous  starting  condition  start  is  upper-bound-stable  for  every 
system  5.  If  the  timed  transition  system  5  is  associated  with  a  single-process  system,  then 
every  state  formula  of  the  form  atJi  is  both  lower-bound  stable  and  upper-bound  stable 
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(if  t  l)  for  S.  Clearly,  if  p  is  lower-bound-stable  (or  upper-bound- stable)  for  any  timed 
transition  system,  then  so  is  the  stronger  assertion  p  A  9, 

Given  a  timed  transition  system  5,  we  say  that  a  bounded-invariance  property 

p  0<iq 

is  stable  for  5  iff  the  antecedent  p  is  lower-bound  stable  for  5.  Similarly,  a  bounded-response 
property 

p  0<uj 

is  stable  for  S  iff  its  antecedent  p  is  upper-bound  stable  for  5.  We  will  show  that  every 
stable  bounded-invariance  and  bounded-response  property  of  5  can  be  derived  by  bounded* 
operator  reasoning.  As  we  have  just  seen,  this  includes  all  bounded- invariance  and  bounded- 
response  properties  with  the  antecedents  ready  and  start,  respectively,  as  well  as  all  prop¬ 
erties  of  sin^/e-process  systems  whose  antecedents  contain  a  conjunct  of  the  form  atJti,  for 
any  location  The  trouble  with  the  bounded-response  property  (f)  of  the  tti;o-process 
system  given  above  is  that  its  antecedent  atJ^  is  not  upper-bound  stable:  a  transition  of 
the  process  Pi  may  enter  or  leave  the  location  Iq  while  a  transition  of  the  competing  process 
P2  is  enabled  and  counting  towards  its  maximal  delay  of  2. 

We  show  that  stability  is  a  sufficient  condition  for  relative  completeness.  In  fact,  as  the 
following  argument  will  reveal,  our  definition  of  stability  has  been  motivated  by  the  attempt 
to  generalize  the  constraint  pattern  technique  that  we  used  to  prove  Theorem  6.2. 

Theorem  G.5  (Relative  completeness  of  bound ed*operator  reasoning)  (The  bidi¬ 
rectional  case)  Lei  S  be  an  operational  timed  transition  system  and  let  ^  be  a  bounded* 
invariance  or  a  bounded*rtsponse  formula  that  is  stable  for  5.  If  ^  is  S*vcUd,  then  it 
can  be  derived  by  the  monotonicity,  transitivity,  conditional  single-step,  and  conditional 
crossover  rules  relative  to  untimed  safety  reasoning. 

Proof  of  Theorem  6.3  W'e  give  only  a  brief  sketch  of  the  proof,  which  parallels  the  proof 
of  Theorem  6.2.  Suppose  we  wish  to  derive  the  S-valid  stable  property  In  the  presence 
of  both  minimal  and  Tnajrimal  delays,  constraint  patterns  are  not  linear,  but  resemble,  in 
general,  zigzag  sequences  of  single-step  upper  bounds  and  single-step  lower  bounds.  Let  us 
draw  single-step  lower  bounds  by  backward  arrows  and  single-step  upper  bound  by  forward 
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arrows.  Then,  a  lov,^er-boimd  constraint  pattern  for  the  run  segment  cTt..;  may  be  of  the 
form: 


c:  -  i .  ''  . . . . . . . » — 

i  i 

Dually,  an  upper-bound  constraint  pattern  for  may  be  of  the  form: 


We  hope  that  these  pictures  give  enough  intuition  to  justify  the  omission  of  the  straight¬ 
forward,  but  tedious,  formal  definition  of  general  constraint  patterns.  For  the  relative  com¬ 
pleteness  proof  to  go  through,  we  have  to  establish  the  familiar  two  properties  of  constraint 
patterns  for  both  the  lower-bound  case  and  the  upper-bound  case: 

Property  A  Existence  of  a  constraint  pattern  for  (7i..y  (use  the  5-validity  of  ^  as  before). 

Property  B  Existence  of  at  most  finitely  many  different  equivalence  classes  of  constraint 
patterns.  This  is  where  the  stability  of  ^  comes  into  play:  while  the  operationality 
of  S  ensures  the  existence  of  a  constraint  pattern  for  that  does  not  cross  beyond 
the  position  i,  th;^  stability  of  (p  guarantees,  by  definition,  that  no  constraint  pattern 
for  crosses  below  the  position  t.  Since  5  has  only  finitely  many  transitions,  it 
follows  that  there  can  be  only  finitely  many  distinct  constraint  patterns  within  the 
finite  interval  &om  i  to  j. 

Both  properties  ensure  the  existence  of  an  5*valid  untimed  formula  that  characterizes  all 
constraint  patterns.  It  is  not  hard  to  see  that  the  conditional  crossover  rules  U-CMIX 
and  O-CMIX,  which  have  been  designed  for  exactly  this  purpose,  suffice  to  collapse  any 
reversal  of  direction  in  a  zigzag  constraint  pattern.  O 


Chapter  7 

Discussion 


The  time  has  come  to  look  back  and  see  what  has  been  accomplished,  and  what  remains 
to  be  done.  Once  we  agreed  that  real-time  verification  is  a  genuine  object  for  theoretical 
investigation,  we  were  immediately  confronted  with  several  decisions.  To  avoid  distraction 
from  the  issues  that  concern  time,  we  chose  a  simple  model  of  computation  and  represented 
reactive  systems  by  sets  of  infinite  sequences  of  state  changes.  With  regard  to  time,  we 
faced  two  questions: 

Semantics  Eow  shoM  we  model  time?  While  physicists  seem  fairly  imanimous  in  their 
opinion  that,  above  quantum  level,  time  is  best  approximated  by  the  real  line,  philoso¬ 
phers  and  logicians  have  proposed  a  curious  variety  of  different  models  of  time.  These 
models  range  from  linear  to  branching  to  partial-order  time  and  from  discrete  to  dense 
to  continuous  time,  to  name  just  a  few  (consult,  for  example,  [25, 124]).  We  believe 
that  for  computer  scientists,  the  choice  should  be  directed  by  two  issues: 

1.  Given  a  certain  mathematical  model  of  physical  time,  what  can  we  prove  in  the 
model  and  how  difficxdt  is  it  to  do  so?  This  question  can,  for  any  given  model,  be 
formulated  and  answered  in  precise  complexity-theoretic  terms.  In  the  analog- 
clock  model  we  encountered  tremendous  hurdles  in  the  form  of  undeddability 
results.  Hence  we  opted  for  the  more  abstract  digital-dock  model  and  an  indireci; 
approach  to  real-time  verification. 

2.  If  we  have  proved  something  in  a  certain  mathematical  model  of  physical  time, 
what,  if  anything,  have  we  proved  about  physical  time?  Needless  to  point  out. 
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‘'verification^  of  a  real-time  system  in,  say,  the  digital-clock  model  is  only  sensible 
if  the  result  gives  us  some  insight  into  the  physical  reality.  After  all,  that  flight 
control  system  we  just  proved  “correct”  has  to  operate  in  dense  time. 

The  question  we  have  posed,  however,  must  inevitably  remain  somewhat  vague 
and  philosophical  (what  is  the  “physical  reality”?)  and  thus  —  unfortunately  — 
is  often  neglected.  We  believe  that  the  classical  physicists’  model  of  time  as  the 
real  line  captures  all  aspects  of  reality  that  we  are  interested  in,  and  we  suggest 
that  it  serves  as  the  point  of  reference  for  rating  the  adequacy  of  any  real-time 
verification  method  that  deems  it  convenient  to  assume,  for  computational  or 
other  reasons,  a  more  abstract  representation  of  time.  As  a  case  in  point,  we 
justified  our  use  of  the  digital-clock  model  by  showing  that  a  large  and  important 
class  of  real-time  systems  and  real-time  properties  is  digitizable. 

Syntax  Sovi  should  we  define  real-time  properties?  Given  our  model  of  time  and  computa¬ 
tion,  real-time  properties  are  sets  of  timed  state  sequences.  We  chose  to  build  on  the 
established  verification  framework  that  has  been  developed  for  temporal  logic.  Thus 
we  essentially  looked  at  two  ways  to  specify  real-time  properties  —  transition  systems 
and  temporal  logics. 

One  commonly  raised  objection  to  temporal  logic  as  a  real-time  specification  language 
is  that  the  very  purpose  of  the  temporal  operators  is  the  abstraction  of  time.  Since,  for 
the  definition  of  timing  properties,  it  is  necessary  to  reintroduce  time  zis  a  first-order 
domain,  one  should  dispense  with  the  temporal  operators  altogether.  We  showed  that 
this  argument  leads  to  unnecessarily  imwieldy  and  expensive  specification  languages. 
Instead,  we  pursued  a  more  careful,  and  often  more  natural,  introduction  of  time  than 
by  first-order  time  variables,  which  gave  us  the  crucial  benefit  of  elementary  decision 
proccdimes. 

To  sumznarire,  we  have  succeeded  in  incorporating  time  conservatively  into  transition 
systems  and  temporal  logic.  We  have  demonstrated  that  qualitative  temporal  reasoning 
about  state  sequences,  be  it  model  checking  or  theorem  proving,  can  be  naturally  and 
conservatively  extended  to  quantitative  temporal  reasoning  about  timed  state  sequences. 
Along  the  way,  we  identified  the  restrictions  on  S3mtax  and  semantics  necessary  for  obtaining 
elementarily  decidable  instances  of  the  real-time  verification  problem.  We  showed  that  only 
a  very  weak  arithmetic  over  a  discrete  domain  of  time  can  be  combined  with  reasoning 
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about  state  sequences  to  obtain  decidable  real-time  logics.  Then  we  presented  two  ways  of 
constraining  the  syntax  farther  to  find  elementary  real-time  extensions  of  linear  temporal 
logic  with  the  full  expressive  power  of  the  maximal  decidable  theory  of  timed  state  sequences. 
Thus,  the  two  temporal  logics  TPTL  and  MTL  occupy  a  position  among  real-time  logics 
that  ii  as  theoretically  appealing  as  the  standing  of  the  untimed  logic  PTL  is  for  qualitative 
reasoning. 

In  addition,  we  have  provided  evidence  that  timed  transition  systems  naturally  model 
many  classes  of  real-time  systems  of  practical  importance,  just  as  we  have  demonstrated 
that  both  TPTL  and  MTL  are  practical  real-time  specification  languages.  This  is  why  we 
believe  that  the  model-checking  algorithms  and  the  proof  methodologies  that  we  presented 
are  important  milestones  on  the  long  and  winding  road  to  the  formal  verification  of  “real” 
real-time  systems. 


7.1  Some  Connections  with  Related  Research 

Even  though  the  field  is,  by  any  standard,  extremely  young,  there  has  been  a  surge  of 
literature  on  the  formal  analysis  of  real-time  systems  in  recent  years.  As  the  number  of 
researchers  has  proliferated,  so  has  the  number  of  models  and  languages  that  have  been 
studied.  The  proceedings  of  a  recent  workshop  on  the  topic  “Real  Time:  Theory  in  Practice” 
will  provide  an  excellent  starting  point  for  anybody  who  wishes  to  explore  the  range  of 
endeavors  that  are  under  way  [31].  We  have  already  pursued,  throughout  the  thesis,  concrete 
comparisons  with  formalisms  that  are  directly  related  to  the  issues  being  discussed.  So 
instead  of  trying  (and  necessarily  failing)  to  give  an  exhaustive  list  of  aU  proposals  for 
formal  reasoning  about  the  combination  of  time  and  computation,  we  take  this  opportunity 
to  attempt,  first,  a  classification  of  the  semantical  assumptions  of  typical  approaches.  This 
will  allow  us  to  focus,  thereafter,  on  the  formalisms  that  are  interpreted  over  models  closely 
related  to  timed  state  sequences. 


7.1.1  Semantic  alternatives:  Real-time  models 

In  interpreting  systems  and  specifications  over  timed  state  sequences,  we  have  assumed  a 
state-based,  discrete,  interleaved,  linear,  asynchronous  model  of  computation: 
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State-based  because  states  are  our  primitive  components  of  system  behaviors.  Alterna¬ 
tives  include  action-based  models,  whose  semantic  primitives  are  state  changes.  It  may 
be  argued  that  state-based  approaches  axe  more  general,  because  states  can  encode 
not  only  individual  actions  but  entire  histories  of  actions  [78]- 

Although  the  choice  of  semantics  is,  in  principle,  often  independent  of  the  syntax 
of  a  languaige,  there  are  certain  classes  of  languages  that  traditionally  have  been 
interpreted  over  certain  domains.  While  temporal  logics  are  usually  (but  by  no  means 
necessarily)  given  a  state-based  semantics,  process  algebras  generally  refer  to  actions. 
Consequently,  unlike  temporal  logic,  process  algebra  cannot  treat  time  explicitly  as  a 
state  variable,  and  the  need  arose  early  on  to  extend  process  algebras  with  operators 
that  refer  to  time.  By  now  there  axe  more  proposals  of  how  this  may  be  done  than  we 
can  enumerate  and  compare  here;  we  only  point  to  the  real-time  extensions  of  CSP 
by  Reed  and  Roscoe  [112],  the  real-time  extensions  of  CCS  by  MoUer  and  Tofts  [101] 
and  by  Wang  [128],  the  real-time  extensions  of  ACP  by  NicoUin,  Richier,  Sifakis,  and 
Voiron  [103]  and  by  Baeten  and  Bergstra  [14],  and  the  formalism  Communicating 
Shared  Resources  of  Gerber  and  Lee  [44]. 

Discrete  because  we  allow  only  countably  many  state  changes.  Alternatives  include  models 
for  continuous  processes  and  models  for  hybrid  systems,  which  combine  both  discrete 
and  continuous  components  [87].  A  continuous  process  may  change  its  state  at  every 
real  point  in  time  according  to,  say,  a  set  of  differential  equations. 

Interleaved  because  we  model  concurrent  activity  by  nondetenninistic  interleaving.  Al¬ 
ternatives  include  partial-order  models  and  other  “truly  concurrent”  modek  such  as 
Petri  nets  (for  issues  about  interleaving  versus  true  concurrency,  consult,  for  instance, 
the  tutorials  in  [30]).  For  real-time  extensions  of  Petri  nets,  we  refer  the  reader  to  the 
proposals  by  Merlin  and  Farber  [98]  (see  also  [20])  and  by  Walter  [127],  and  to  the 
related  work  by  Gabrielian  and  Franklin  [41]. 

Linear  because  we  identify  systems  that  agree  on  the  sets  of  their  possible  behaviors. 
Models  that  adhere  to  the  combined  assumption  of  interleaving  and  linearity  are  of¬ 
ten  called  trace  models,  because  they  represent  reactive  systems  as  sets  of  traces. 
Alternatives  include  branching  models  with  various  stronger  notions  of  system  equiv¬ 
alence  such  as  bisiniulation  (for  the  entire  spectrum  of  possible  equivalences,  see,  for 
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ocample,  [125]).  The.se  modek  are  traditionally  studied  in  process  algebra  and,  to 
some  extent,  in  branching-time  temporal  logic. 

Branching- time  temporal  logics  clearly  can  be  extended  in  the  same  ways  in  which  we 
have  augmented  linear- time  temporal  logic,  by  freeze  quantifiers  or  by  time-botinded 
temporal  operators.  The  latter  approach  has  been  pursued  by  Alur,  Courcoubetis, 
and  Dill  [7],  who  obtained  the  surprising  result  that  branching-time  MTL,  while  still 
un decidable,  permits  model  checking  in  the  analog- dock  model.  The  same  condusions 
apply  to  branching- time  TPTL  [6].  A  similar  result  was  independently  shown  by 
Lewis;  he,  too,  gave  a  model- checking  procedure  for  an  MTL-like  branching-time 
logic  [82]. 


Asynchronous  because  we  allow  state  changes  at  any  real  point  in  time.  The  combined 
assumption  of  discreceness  and  asynchronidty  is  sometimes  referred  to  as  finite  t7an- 
abiliiy  [17],  because  only  finitely  many  state  changes  can  occur  between  any  two 
points  in  time.  Alternatives  indude  synchronous  models,  in  which  all  concurrent  ac¬ 
tivity  happens  in  lock-step;  that  is,  the  term  “synchronidty”  is  used  in  the  sense  of 
Milner  [100]:  all  component  processes  are  docked  by  a  global  dock. 

The  combined  assumption  of  true  concurrency  and  synchronicity  has  been  called  max¬ 
imal  parallelism  by  Pnueli  and  Hard  [110]  (although  the  term  has  also  been  used  in 
connection  with  a  weaker  notion  of  synchronidty  [73]).  Pnueli  and  Hard  contrast  a 
maximally  paralld  semantics  with  our  asyncluonous  interleaving  semantics.  Maxi¬ 
mally  paralld  models  identify  “next- state”  with  “next-time”  and,  therefore,  the  next 
operator  of  traditional  temporal  logics  can  be  used  to  reason  about  real-time  proper¬ 
ties.  This  approach  has  been  taken  by  Pnueli  and  Hard  [110]  and  by  Gabrielian  and 
Iyer  [42]  for  linear- time  logics,  and  by  Emerson,  Mok,  Sistla,  and  Srinivasan  [37]  for 
a  branching-time  logic.  Clearly,  any  such  “calculus  of  the  next  operator”  is  strictly 
subsumed  by  our  methods,  because  syrichronous  systems  can  be  modded  by  timed 
transition  systems  and  time  can  be  forced  to  act  as  a  state  counter  in  both  TPTL 
and  MTL.  Moreover,  we  showed  in  Chapter  4  that  the  simplifying  assumption  of 
synchronicity  does  not  make  real-time  verification  any  more  tractable. 
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7.1*2  Syntactic  alternatives:  Real-time  languages 

Now  let  us  point  to  some  of  the  work  that  builds  on  the  model  of  computation  that  we 
have  used.  There  are  two  main  categories  of  languages  that  have  been  proposed  to  de¬ 
fine  sets  of  timed  state  sequences  —  temporal-logic-based  formalisms  and  automat a-based 
formaHsms.  We  include  in  this  discussion  all  languages  that  can  be  interpreted  over  timed 
state  sequences,  even  if  their  original  semantics  are  somewhat  more  restrictive  than  ours,  for 
example,  “truly  concurrent”  by  requiring  that  time  increases  strictly  monotonically.  Also, 
while  almost  every  concrete  proposal  assumes  a  particular  model  of  time  —  usually  either  a 
discrete  or  a  continuous  time  domain  —  most  of  the  languages  in  the  following  two  groups 
can  be  interpreted  in  both  the  digital-clock  model  and  the  analog-clock  model. 

Temporal  logics  The  overwhelming  majority  of  extensions  of  temporal  logic  for  real-time 
reasoning  fall  into  one  of  two  classes: 

1.  Logics  with  time-bounded  temporal  operators  similar  to  MTL.  This  approach 
to  the  specification  of  timing  properties  has  been  advocated  by  Ko3rmans,  Vy- 
topil,  and  de  Roever  [71,  72,  74],  although  an  early  proposal  by  Bernstein  and 
Harter  can  be  viewed  as  a  precursor  [19].  Shasha,  Pnueh,  and  Ewald  [117]  and 
Pnueli  and  Harel  [110]  have  also  used  this  method  of  expressing  timing  con¬ 
straints.  All  of  these  proponents  have  been  interested  in  deductive  verification 
only  and  have  employed  ad  hoc  proof  techniques  that  make  use  of  a  few  valid 
formulas  of  MTL.  While  Koymans’  syntactic  and  semantic  assumptions  are  far 
too  permissive  to  obtain  model-checking  algorithms,  Pnueli  has  applied  the  logic 
primarily  in  the  overly  restrictive  S3mchronous  case.  Under  the  assumption  of 
being  given  a  complete  axiomatiration  for  MTL,  Hooman  and  Widom  presented 
a  relatively  complete  proof  system  for  verifying  MTL-specifications  of  CSP-like 
programs  [61]. 

2.  Logics  with  an  explicit  time  variable;  that  is,  a  state  variable  that  refers,  in  any 
state,  to  the  current  time.  In  Section  3.1,  we  called  a  generic  version  of  this 
type  of  language  “real-time  temporal  logic,”  Scattered  examples  of  this  method 
of  expressing  timing  constraints  have  been  used  by  Pnueli  and  de  Roever  [109] 
and  by  Ron  [114].  More  systematic  expositions  of  the  logic  can  be  found  in 
the  work  of  Hard,  Lichtenstein,  and  Pnueli  [53,  54,  110]  and  of  OstrofF,  who 
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has  presented  a  wide  variety  of  interesting  applications  [104].  More  recently, 
the  use  of  a  time  variable  has  been  advocated  by  Lamport  and  Abadi  in  the 
Temporal  Logic  of  Actions  [80].  All  of  these  proponents  have  employed,  for 
real-time  verification,  untimed  safety  proof  methods  in  the  spirit  of  Section  6.2. 
Ostroffhas  given  model- checking  procedures  for  a  limited  set  of  properties.  Only 
Harel,  Lichtenstein,  and  Pnueli  have  been  interested  in  questions  of  decidability 
and,  after  we  showed  their  logic  to  be  undeddable,  they  identified  a  nonlogical 
decidable  fragment  that  has  a  model-checking  algorithm.  We  already  critiqued 
the  introduction  of  a  t  xe  variable  into  temporal  logic  in  Chapter  3  and  foimd  it 
to  be  both  unnecessarily  tmwieldy  for  specification  and  prohibitively  expensive 
for  finite-state  verificatic.i.  It  was  these  drawbacks  that  led  us  to  design  the  logic 
TPTL. 

The  kind  of  assertional  reasoning  about  real-time  safety  properties  that  refers, 
in  state  assertions,  to  an  explicit  time  variable  can  also  be  carried  out  in  non¬ 
temporal  Hoare-styie  proof  systems.  This  approach  has  been  advocated  for  var¬ 
ious  kinds  of  programming  languages;  for  instance,  by  Haase  [47],  Shankar  and 
Lam  [116],  Schneider  [115],  and  Hooman  [60]. 

Real-time  extensions  of  interval  temporal  logics  (for  exanqjle,  [27,  97,  102])  do  not  fit 
properly  into  either  of  these  two  categories.  Also  the  leal-time  logic  RTL  of  Jahanian 
and  Mok  [63],  essentially  an  extension  of  Presburger  arithmetic  with  unary  predicates, 
is  quite  different  in  flavor  from  conventional  temporal  logics.  In  Section  3.5  we  showed 
it  to  be  undeddable.  Jahanian  and  Stuart  have  identified  some  deddable  dasses  of 
RTL-fonnulas  and  presented,  similar  to  Ostroff,  specific  model- checking  procedures 
for  individual  dasses  of  timing  properties  [65]. 

Automata  As  an  alternative  to  logical  languages,  both  specifications  and  implementations 
can  be  described  in  automata-based  formalisms.  We  distinguish  between  operational 
and  nonoperational  approaches,  in  the  sense  that  only  the  former  restrict  us  to  con¬ 
gruous  definitions  of  real-time  properties  and,  therefore,  only  they  can  serve  directly 
as  machine  models  or  programming  languages: 

1.  Timed  transition  systems  fall,  as  we  showed  in  Section  2.1,  into  the  executable 
dass.  Sunilax  state-transition  systems  with  mmimal  delays  and  maximal  delays 
on  transitions  have  been  defined  by  Pnueli  and  Hard  [110]  and  by  Ostroff  [104]. 
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Burch  has  used  unit  delays  only  [23' .  Jalianian  and  Mck  have  modified  State- 
charts  to  Modecharts  by  incorporating  mmimal  and  maximal  time  delays  ;64[. 
All  of  these  references  use  the  state-transition  systems  as  implementation  lan¬ 
guages  only  and  specify  real-time  properties  in  one  of  the  logical  languages  we 
discussed  above. 

A  second  group  of  researchers  has  used  automata  for  both  specification  and  im¬ 
plementation.  Merritt,  Modugno,  and  Tuttle  have  augmented  I/O  automata, 
which  distinguish  between  input  ard  output  events,  with  minimal  and  maximal 
transition  delays  [99].  A  variant  of  this  model  has  been  studied  by  Lynch  and 
Attiya,  who  verify  real-time  properties  by  mappings  between  automata  [85].  Ag- 
garwal  and  Kurshan  have  extended  Biichi  automata  m  a  similar  way  and  use 
finite-state  techniques  for  the  verification  of  real-time  properties  [3]. 

2.  Alur  and  Dill  have  added  timing  constraints  to  finite  automata  over  infinite 
sequences  in  a  much  more  flexible  way  than  by  putting  only  minimal  and  maximal 
delays  on  transitions  [8,  9,  33,  34].  A  comprehensive  account  of  finite-state 
verification  techniques  that  are  based  on  this  powerful  notion  of  timed  automata 
has  been  compiled  by  Alur  [6].  Lewis  has  proposed  a  similar  nonoperationaJ 
extension  of  finite  automata  with  time  [82]. 

As  far  as  we  know,  nobody  has  formally  addressed  the  issues  of  real-time  stuttering, 
safety,  liveness,  and  operationality,  nor  has  anybody  attempted  to  use  the  digital- 
clock  model  for  the  verification  of  continuous  properties.  Although  we  presented 
model-checking  algorithms  for  the  verification  of  timed  transition  systems  only,  it  is 
not  difficult  to  use  our  digital  methods  to  check  if,  say,  a  timed  automaton  meets  a 
temporal-logic  specification. 

We  remark  that  while  the  extension  of  aut  Dmata  with  minimal  and  maximal  delays  on 
transitions  resembles  the  time-bounded  temporal  operators  of  MTL,  the  timed  automata 
of  Alur  and  Dill  can  be  thought  of  as  an  augmentation  of  finite  automata  with  the  freeze 
quantifier  of  TPTL  (although,  in  the  automata  context,  time  variables  that  arc  bound 
to  the  current  time  are,  instead,  called  “clocks”  or  “timers”  that  are  “set”  to  the  current 
time).  Thus  there  seem  to  be,  independent  of  any  particular  language,  two  principal  styles 
of  adding  timing  constraints  to  tmtimed  formalisms: 
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Local  Lower  and  upper  botmds  on  the  time  differences  of  adjacent  states  or  actions  or  tem* 
poral  contexts  oniy.  The  tune-bounded  temporal  operators  of  MTL  and  the  minimal 
and  maximal  transition  delays  of  timed  transition  systems  fall  into  this  category. 

Global  Lower  and  upper  bounds  on  the  time  differences  of  any  two  states  or  actions  or 
temporal  contexts.  In  TPTL,  for  example,  a  freeae  quantifier  can  be  botmd  in  one 
temporal  context  and  checked  for  its  value,  later,  in  an  arbitrarily  distant  temporal 
context  (provided  certain  scoping  rules  are  obeyed).  Similarly,  a  timed  automaton 
can  set  a  clock  with  a  transition  and  check  its  value,  later,  at  an  arbitrarily  distant 
state.  Also,  while  local  timing  constraints  seem  to  dominate  in  process  algebras  and 
Petri  nets,  is  is  not  hard  to  come  up  with  such  formalisms  that  permit  global  timing 
constraints. 

We  used  the  discreteness  of  time  to  show  that  MTL  and  TPTL  are  equally  expressive  in 
the  digital-clock  model.  Yet  it  is  doubtful  that  the  global  style  of  defining  timing  relations 
is  in  general  no  more  expressive  than  the  local  style.  In  particular,  we  suspect  that  there 
are  real-time  properties  in  the  analog-clock  model  that  can  be  defined  in  TPTL  but  not 
in  MTL.  This  remark  anticipates  our  final  comments,  which  briefly  discuss  some  open 
problems  in  real-time  verification. 


7.2  Some  Directions  for  Future  Research 

It  is  perhaps  a  sign  of  the  vitality  of  a  field  that  the  answer  to  every  question  opens  several 
new  questions.  Indeed,  little  has  been  solved  in  formal  reasoning  about  real-time  systems. 
Thus  we  find  it  appropriate  to  conclude  by  raising,  in  no  particular  order,  a  few  problems 
that  we  would  like  to  see  addressed: 

•  Making  verific'iiion  practical.  Clearly,  the  applicability  of  om  verification  techniques 
has  not  matured  beyond  the  level  of  toy  examples.  We  hope,  however,  that  we  have 
demonstrated  the  theoretical  suitability  of  temporal  logic  for  real-time  verification, 
and  that  our  languages  will  generate  sufficient  interest  to  warrant  research  on  improv¬ 
ing  the  practicality  of  our  approach.  The  improvement  of  the  finite- state  verification 
methods  is  particularly  pressing  in  the  real-time  case,  which  we  showed  to  be  expo¬ 
nentially  more  difficult  than  untimed  verification.  For  this  purpose,  it  will  be  essential 
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1.  Deal  with  the  state  explosion  problem  of  model  checking  by,  say,  sjmibolic  and 
partial  techniques  [24,  4b]. 

2.  Deal  with  timing  information  by  s^nmbolic  constraints  rather  than  constant  de* 
lays . 

3.  Combine  model  checking  and  other  decision  procedures  with  theorem  proving 
technolog}*. 

4.  Decompose  and  compose  systems,  specifications,  and  correctness  proofs  [2,  15, 
16]. 

Finite-state  techniques  will  prove  to  be  particularly  useful  if  they  can  be  practically 
applied  not  only  to  the  verification  of  given  systems  but  also  to  the  automatic  inference 
of  time  bounds  and  the  automatic  sjmthesis  of  system  skeletons  [34,  36,  94]. 

Increasing  the  scope  of  verification.  There  are  several  problems  about  the  deductive 
verification  of  real-time  properties  that  have  been  left  open  in  this  thesis: 

1.  Find  a  complete  axiomatization  for  MTL  (some  axioms  for  a  more  general  version 
of  MTL  than  ours  have  been  suggested  by  Koymans  without  claim  of  complete¬ 
ness  [71]). 

2.  Classify  more  complex  real-time  properties  than  bounded  response  and  bounded 
in%*ajiance  to  obtain  a  hierarchy  of  real-time  properties  similar  to  the  untimed 
hierarchy  of  temporal  properties  [93],  and  find  relatively  complete  proof  methods 
for  aU  classes  of  properties  in  the  real-time  hierarchy. 

3.  Determine  which  analog  property  is  established  if  the  digital-clock  model  is  used 
to  show  that  a  timed  transition  system  meets  an  arbitrary  (i.e.,  not  necessarily 
digitizable)  specification  that  is  given  as  a  formula  of  TPTL  or  MTL. 

J7ie  analog-clock  model  We  feel  strongly  that  in  the  analog-clock  model,  the  interval 
semantics  (see  Section  3.4)  is  more  appropriate  than  the  timed  state  sequence  seman¬ 
tics  and  recently  we  identified  a  real-time  temporal  logic  that  yields  to  finite-state 
verification  techniques  imder  an  analog  interval  interpretation  [9].  This  result  and 
the  analog  verification  methods  for  timed  automata  [8]  suggest  that  our  indirect  ap¬ 
proach  through  the  digital-clock  model  may  be  unnecessarily  roundabout.  However, 
from  a  theoretical  perspective,  the  picture  regarding  the  analog-clock  model  is  far 
from  complete. 
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We  sbov^^ed  that  the  appealing  nntimed  identification  of  finite-state  properties  with 
u^-re^ar  languages  leads  also  to  a  clean  notion  of  ‘iinite-statc  real-time  property”  in 
the  digital-dock  model:  the  class  of  digital  finite-state  real-time  properties  is  exactly 
the  dass  of  properties  that  can  be  defined  by  sentences  of  the  second-order  theory  of 
timed  state  sequences  or,  alternatively,  by  the  temporal  logic  TETL  or,  alternatively, 
by  timed  automata  or,  alternatively,  by  several  equivalent  untimed  formalisms  with 
additional  time-difference  and  time-congrucnce  propositions.  Moreover,  this  dass  is 
dosed  under  all  boolean  operations  and  all  problems  of  relevance  to  verification  arc 
element axOy  deddable.  It  is,  on  the  other  hand,  not  obvious  to  us  what  constitutes 
“finite-state”  information  about  a  sequence  of  real  numbers.  Thus  we  have  asked  the 
question  [12]: 


Is  there  an  agreeable  notion  of  finite-state  real-time  property  in  the  analog- 
clock  model?  The  set  of  such  properties  ought  to  be  dosed  under  all  boolean 
operations,  have  an  elementarily  deddable  emptiness  problem,  and  be,  in  a 
suitable  sense,  “maximal.” 


An  acceptable  characterization  of  analog  finite-state  properties  would  also  lead  to  a 
theory  of  expressiveness  of  analog  languages,  induding  analog  TPTL,  analog  MTL, 
and  timed  automata. 


•  Local  clocks  and  hybrid  systems.  By  adding  time  to  transition  systems,  we  introduced 
a  single  variable  that  changes  continuously  in  the  analog-dock  model.  This  quality 
distingtiishes  time  from  all  other  system  components.  From  here  it  is  not  hard  to 
conceive  of  timed  transition  systems  that  permit  all  variables  to  change  continuously 
as  functions  of  time.  “We  may,  for  example,  add  differential  equations  to  all  states  of 
a  timed  transition  system.  The  equations  in  a  state  govern  the  continuous  change  of 
all  variables  as  long  as  the  control  of  the  system  resides  in  the  state.  For  instance, 
consider  the  following  timed  transition  diagram,  which  models  a  thermostat: 
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The  boolean  variable  heat  indicates  if  the  heater  is  turned  on.  The  real  variable  T 
represents  the  room  temperature  and  changes  continuously:  when  the  heater  is  turned 
on,  it  increases  as  a  function  of  time;  otherwise  it  decreases.  The  heater  is  turned  off 
whenever  the  temperature  rises  above  70  degrees,  but  there  is  a  delay  of  6  time  units 
from  the  time  that  the  temperature  actually  passes  the  threshold  to  the  time  that  the 
heater  is  turned  off;  the  heater  is  turned  on  again  as  soon  as  the  temperature  falls 
below  65  degrees  after  another  sensory  and  mechanical  delay  of  6  time  units. 

WTiat  we  have  just  described  is  called  a  hybrid  system,  because  it  combines  discrete 
and  continuous  elements.  It  can  be  given  the  semantics  of  Maler,  Manna,  and  Pnueli, 
which  is  an  extension  of  our  interval  semantics  to  several  continuously  changing  vari¬ 
ables  [87].  As  the  results  of  Section  3.5  may  prove  to  be  insurmotmtable  obstacles  for 
the  finite-state  verification  of  hybrid  systems,  the  interesting  questions  concern  proof 
methods  for  hybrid  real-time  properties.  We  also  remark  that  variables  that  change 
impbcitly  as  functions  of  time,  without  the  system  taking  any  of  its  discrete  transi¬ 
tions,  can  be  used  to  model  (analog  or  digital)  local  clocks,  an  important  concept  in 
many  distributed  algorithms. 

•  Frttze  quantification.  The  freeze  quantifier,  which  has  turned  out  to  be  so  useful 
in  dealing  with  time,  can,  in  principle,  be  added  to  any  propositional  modal  logic, 
completely  independent  of  the  notion  of  time  Indeed,  there  seem  to  be  some  intriguing 
prospects  for  other  applications  of  freeze  quantification.  Suppose,  for  example,  that 
with  every  state  of  a  program,  we  associate  not  a  single-stamp  but  an  entire  vector 
containing  the  current  values  of  all  program  variables,  say,  ui,...ufc.  The  freeze 
quantifier  “x.  ”  binds  this  tuple  to  the  variable  x,  and  we  have  h  functions,  value-of-Ui 
for  1  <  t  <  i  —  one  to  access  each  component  of  x  (i.e.,  the  value  of  tii).  This  allows 
us  to  assert  program  properties,  such  as  the  condition  that  the  program  variable  u  is 
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increased  by  1  in  the  next  execntion  step: 

X.  0  V-  t'alue -of  •u{y)  =  value-of'U{x)  +  1 

or,  in  half-order  dynamic  logic: 

X.  (u  :=  ti  +  l)y.  vdue-of  -u{y)  =  value -of -u{t)  -f  1 

(for  an  introduction  to  dynamic  logic,  see,  for  example,  [51]).  This  property  is  ordi¬ 
narily  stated  in  a  much  richer,  first-order,  modal  logic: 

Vx.  (it  =  X  (ti  :=  u  -f  1)  ti  =  X  +  1). 

It  can  be  argued  that  most  transition  axioms  and  input-output  relations  are  more 
naturally  written  without  universal  quantifiers  and  auxiliary  variables.  In  addition, 
similar  to  the  real-time  case  there  may  be  trade-offs  between  the  expressiveness  and 
complexity  of  programming  logics  with  different  forms  of  quantification. 

Other  applications  of  the  freeze  quantifier  can  be  foimd  in  half-order  logics  of  knowl¬ 
edge.  For  example,  in  the  course  of  the  knowledge- based  analysis  of  a  protocol, 
Halpem  and  Zuck  introduced  the  n.'^tation  to  denote  the  proposition  pi  for 

the  value  i  of  the  variable  i  in  the  current  state  [50].  This  condition  can  be  natu¬ 
rally  expressed  by  freeze  quantification.  One  may  also  attempt  to  interpret  the  freeze 
quantifier  as  a  kind  of  personal  pronoun  that  ranges  over  the  domain  of  agents  that 
are  reasoning  or  the  processors  of  a  distributed  system  (for  an  ov‘^rview  of  the  use  of 
cpistemic  logics  in  distributed  computing,  we  refer  to  [48]). 
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